PayPal Denies Teen Reward For Finding Bug

itwbennett writes "You have to be 18 to qualify for PayPal's bug bounty program, a minor detail that 17-year old Robert Kugler found out the hard way after being denied a reward for a website bug he reported. Curiously, the age guideline isn't in the terms and conditions posted on the PayPal website. Kugler was informed by email that he was disqualified because of his age."

Paypal suck.

[aliquis]

^ That's all.

Re:Paypal suck.

At least provide the link.

Why don't businesses get it?

[singingjim1]

That's a REALLY good way to generate positive publicity for your company - act like a douche.

Re:Why don't businesses get it?

[Mike+Frett]

Because the number of users whom don't care or didn't read this news is greater than the people that do. And they will continue to use the service no matter what.

Re:Why don't businesses get it?

[IP_Troll]

but as the kid under 18 you or your guardian can void the contract at any time, which would mean Paypal wouldn't have the right to use the information you gave them. Now consider what happens if they fixed a bug based on your information, shipped a product and suddenly they have no permission anymore to use the information. Ugly.

If someone discovers a flaw in a system, you are not barred from ever fixing that flaw in the future. Whether or not the person that discovered the flaw is a minor is irrelevant.

If they offer a potential code fix you can chose not to use their code and avoid all liability.

You can try to fabricate a strawman argument to try to prove your point, but what you said is just plain wrong.

The next bug....

So, the next time a 17yo finds a bug, they don't report it, the exploit it.

Sounds like a plan.

Paypal, perhaps all future underage rewards be in the form of scholarships?

I could be worse.

PayPal could have paid into his parent's account, and then froze it.

Just give the kid his money

[TWiTfan]

I'm pretty sure most shareholders would rather you part with tiny sum of money that you owe this kid than to take the tsunami of bad PR and bad faith that would result in you being dicks about it.

Briliant.

[headhot]

Way to piss off the community you asked to hack your system. I'm sure this will go well.

Let this be a Lesson

[bengoerz]

If Paypal won't pay the kid for bugs in its system, I bet someone else will.

Perverse incentive

[wanderfowl]

"Remember kids: If you find a bug in Paypal's system, you'll get paid more for selling it to the black hats."

Secret conditions

[Geoffrey.landis]

So, basically, they have secret conditions to their offer to pay for revealing of bugs, and they don't tell anybody what those secret conditions are.

So, uh, why would anybody expect to be paid? What other secret conditions do they have, which they can reveal at any time and say "oh, so sorry, but one of our terms is that we don't pay under (xx) conditions."

--I'm sorry, but we don't pay if you work for a competitor, or a company that we deem might be a competitor in the future
--I'm sorry, but we don't pay if it's a vulnerability that can be traced to a flaw in an Adobe product, or in a commercial database program we may use that was purchased from an commercial source.
--I'm sorry, but we don't pay if you're from a country that doesn't speak English.
--I'm sorry, but we don't pay if the vulnerability is discovered by somebody from states with names beginning with a vowel.
--I'm sorry, but we don't pay if the vulnerability is one that is only active on days of the week ending in "y".

Re:scholarship?

[sleigher]

I just can't wait til the pissed off kid finds the next bug... Maybe he already did and only gave them the small one. I can hope... fuck paypal

Re:scholarship?

Actually, no, you can indeed enter into a contract with a minor. If you couldn't, I'd have my kid click through all those license agreements nobody reads.

The minor can be held to a contract that they signed if the parent knew of the contract and demonstrated acceptance, generally by not protesting it. At least that is (generally) the law in the US.

Re:scholarship?

[David_Hart]

No, but generally speaking you cannot enter a contract with a minor, which is probably the legal issue. Age of majority is variable, but in California that is 18 ys old.

They should find a way around it, but they can't just give it to him.

I am not a lawyer, but my understanding is that simply paying someone a reward is not entering into a contract.

If Paypal requires that the person who finds the bug enters into a non-disclosure and/or marketing agreement (i.e. to be able to publish their name as the bug finder) prior to receiving the reward then I would agree that this may be the issue. However, there are tons of child actors in Hollywood, so their must be a way that a minor can enter into an agreement. I'm guessing that it would require the legal guardian(s) signature.

Re:scholarship?

[dissy]

Seriously, paypal done fucked up once more.

They did a great job teaching this kid "I could sell it to paypal for zero dollars, or I can auction it on this underground forum starting at $5000"

The only thing the kid even asked paypal for was a written statement of the accomplishment to put on his resume, and they won't even send that!
Even Microsoft lists him as a security researcher for the updates they have pushed fixing bugs this kid has found and reported to them!

The worst part is, paypal has also just taught these facts to everyone else who happens to know of an exploit in their system, or ever finds one in the future.

Smart move paypal *golf clap* smart move