PayPal Reviewing Qualifying Age For Vulnerability Rewards

← Back to Stories (view on slashdot.org)

PayPal Reviewing Qualifying Age For Vulnerability Rewards

Posted by Unknown on Wednesday May 29, 2013 @03:55AM from the break-it-before-you-can-use-it dept.

itwbennett writes "In follow-up to 17-year old Robert Kugler's claim that PayPal denied him a bug bounty because he was under 18, the company now says that it is 'investigating whether it can lower the qualifying age for vulnerability rewards for those who responsibly report security problems.' The company also said that the vulnerability had already been reported by another researcher — although they didn't mention that in the email to Kugler telling him he wouldn't be receiving payment."

95 comments

Min score:

Reason:

Sort:

Award scholarships for under-aged people by WillAdams · 2013-05-29 03:58 · Score: 2

That should sidestep all the legal complications.

--
Sphinx of black quartz, judge my vow.
1. Re:Award scholarships for under-aged people by Synerg1y · 2013-05-29 04:21 · Score: 5, Informative
  
  OP is a dumbass, there aren't any legal complications here, just policy:
  
  Kugler has a record for finding security problems. He's received two payments for US$4,500 from Mozilla for finding two problems in its Firefox browser and also was listed as a noted security researcher by Microsoft last month.
  Mozilla had no problem paying him.
2. Re:Award scholarships for under-aged people by CanHasDIY · 2013-05-29 04:24 · Score: 1
  
  That should sidestep all the legal complications.
  Or, they could do what child-oriented contests and websites have done since time unknown:
  Kids! Get your parents to submit written permission and you too can take part in whatever the hell it is we're doing!
  
  --
  An enigma, wrapped in a riddle, shrouded in bacon and cheese
3. Re:Award scholarships for under-aged people by anthony_greer · 2013-05-29 04:29 · Score: 1
  
  it was promised as a cash reward, don't force him to spend it on university...put it in escrow and cut him a check when he turns 18 if there is an age issue
4. Re:Award scholarships for under-aged people by RoboRay · 2013-05-29 04:30 · Score: 0
  
  Thank your child labor laws and overprotective nanny state.
5. Re:Award scholarships for under-aged people by davmoo · 2013-05-29 04:51 · Score: 1, Insightful
  
  Mozilla is not a publicly traded corporation and all profits are plowed back in to Mozilla.
  PayPal's parent eBay, on the other hand, is a publicly traded corporation who's goal is to make a profit for stock holders. Thus laws for it are very different.
  Comparing a Mozilla bug payment to a PayPal bug payment is a very apples to oranges comparison.
  And you need to learn how to debate an issue without attacking others by calling them "dumbass".
  
  --
  I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
6. Re:Award scholarships for under-aged people by Sarten-X · 2013-05-29 04:55 · Score: 0
  
  Parent is a dumbass, "somebody else did it first" isn't a legal defense, just wishful thinking.
  ...especially when the "somebody else" is a completely different type of entity operating in a different jurisdiction with different laws and in different circumstances.
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
7. Re:Award scholarships for under-aged people by Guppy · 2013-05-29 04:58 · Score: 3
  
  And give the scholarship a grand-sounding name, so the kid can get some extra mileage in buffing his resume; such documents are often read by non-technical personnel who might misunderstand "Earned $**** reward for finding security vulnerability" (OMG HAX!), but would love to see something like "Recipient of the Paypal Merit Scholarship for Computing Security Excellence in Youth".
8. Re:Award scholarships for under-aged people by Anonymous Coward · 2013-05-29 05:20 · Score: 0
  
  "somebody else did it first" isn't a legal defense
  Um, yes it is.
  
  ...especially when the "somebody else" is a completely different type of entity
  Ok, here you have a point.
9. Re:Award scholarships for under-aged people by Anonymous Coward · 2013-05-29 05:44 · Score: 0
  
  His first point stands, too. That isn't how precedent works.
10. Re:Award scholarships for under-aged people by Trimaxion · 2013-05-29 06:03 · Score: 1
  
  Mozilla is not a publicly traded corporation and all profits are plowed back in to Mozilla.
  PayPal's parent eBay, on the other hand, is a publicly traded corporation who's goal is to make a profit for stock holders. Thus laws for it are very different.
  Honest question:
  Are you saying that Mozilla has fewer constraints with respect to paying minors because it is a non-profit org?
  What if we were talking about a privately held for-profit corporation? Would they be constrained just as the publicly traded corp is?
  Yeah I know... ask a lawyer... :(
11. Re:Award scholarships for under-aged people by Synerg1y · 2013-05-29 06:04 · Score: 3, Interesting
  
  None of what you said has anything to do with the age of the bug researcher. Still a pretty stupid argument imo, name one law that would prevent a 17 year old from getting paid for finding a bug.
  I do however agree that they are not the same company and would go about writing their policy around it differently, but that has nothing to do with the legality of it whatsoever.
  Your "insightful" off point and irrelevant statement got mine downmodded you ho. J/k :)
  And one more time just to be clear: corporate policy != law and amen for that.
12. Re:Award scholarships for under-aged people by Joce640k · 2013-05-29 06:24 · Score: 1
  
  "Legal Complications"
  If there is legal reasons to not award people under the age of 17 with rewards and such for doing good, then the law is wrong. But then again, this is the "nanny state" where we write laws to protect people from themselves, and in the name of "protecting the children". These laws fix outlying problems at the expense of everyone else.
  And remember...this is Germany, where 16 is the legal age for getting a job.
  
  --
  No sig today...
13. Re:Award scholarships for under-aged people by Anonymous Coward · 2013-05-29 07:26 · Score: 0
  
  I thinks its safe to presume PayPal wants to keep the bug secret or control how / when he talks about it in exchange for the reward. They can not enter into a contract with a 17 year old minor so they don't give him the money. They aren't paying for finding the bug, they are paying for silence and control over it after its found. The $ for finding phrasing is just better PR wording.
14. Re:Award scholarships for under-aged people by Synerg1y · 2013-05-29 07:36 · Score: 1
  
  AC, it's actually an NDA that makes the most sense that they would make him sign, a contract has a start and end date, an NDA can say something like no disclosure till the bug is fixed.
  My point stands, there's no legal problem here as NDAs are not age specific.
  http://en.wikipedia.org/wiki/Non-disclosure_agreement
15. Re:Award scholarships for under-aged people by Anonymous Coward · 2013-05-29 07:55 · Score: 0
  
  The bug reporters age and the type of company or corporation involved do not change anything about this scenerio. Paypal is not prohibited from paying this individual by law. If you honestly think there is a law prohibiting such then you need to provide the citation. Paypal is currently choosing to not pay this individual based on their own policies and nothing else.
16. Re:Award scholarships for under-aged people by Anonymous Coward · 2013-05-29 09:29 · Score: 0
  
  a circle jerk?
17. Re: Award scholarships for under-aged people by Anonymous Coward · 2013-05-29 09:31 · Score: 0
  
  Hey Kid,
  Get your parents to sign off and we will hire you full time to hack against the Chinese
  Signed
  Uncle Sam
18. Re:Award scholarships for under-aged people by Anonymous Coward · 2013-05-29 10:48 · Score: 1
  
  From your link:
  
  "A non-disclosure agreement (NDA), also known as a confidentiality agreement (CA), confidential disclosure agreement (CDA), proprietary information agreement (PIA), or secrecy agreement, is a legal contract between at least two parties"
19. Re:Award scholarships for under-aged people by Anonymous Coward · 2013-05-29 15:30 · Score: 0
  
  You stupid fucking moron, stop posting utter nonsense. Full of yourself and completely wrong, really a winning combination.
20. Re:Award scholarships for under-aged people by Anonymous Coward · 2013-05-29 16:31 · Score: 0
  
  PP policy should have had an underlining clause, "if you are under 18 you will need parents/legal guardians permission to claim prize" How f***ng retarded can paypal be over a simple line? Oh wait considering how they f*** people over, time and time again they are retarded.
  Mozilla is open-source, and more, open, to giving out rewards not based on age, they want people of any age to be involved, you know what they say? Youth is the future. Thats difference between corrupt closed companies like PayPal, and open source companies like Mozilla.
  Love there PR attempt by the way, yes, come out and say someone else found it, after it becomes a internet media frenzy, classy, real classy.. Again to retarded to put in the email to the young man "XXXXXX found this bug, sorry"
Why restrict it at all? by HalAtWork · 2013-05-29 03:59 · Score: 3, Insightful

It's a voluntary process, why would they need to restrict it? It's not like it's forced child labor. If anything, it's a learning experience.

--
Twinstiq, game news
1. Re:Why restrict it at all? by idontgno · 2013-05-29 04:04 · Score: 5, Insightful
  
  If anything, it's a learning experience.
  Indeed. A valuable lesson for any impressionable youth to learn: Paypal will work very hard to screw you out of anything it can. Unless the PR blowback gets bad enough.
  (Paypal can apparently tolerate a certain low buzz of "Paypal sucks". They have considerably more trouble with Streisand-amplified flack.)
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
2. Re:Why restrict it at all? by Intrepid+imaginaut · 2013-05-29 04:05 · Score: 1
  
  There may be some sort of 'ability to enter into legally binding contracts' thing going on. But seriously just hold the payment till he turns 18. Happy birthday kid!
  People make things so hard for themselves sometimes.
3. Re:Why restrict it at all? by nitehawk214 · 2013-05-29 04:11 · Score: 1
  
  It's a voluntary process, why would they need to restrict it? It's not like it's forced child labor. If anything, it's a learning experience.
  Yeah, he learned that he should never report a vulnerability. At best, you get nothing for your trouble, at worst you get the FBI breaking down your door and you get Aaron Swartz'd by some overzealous DA.
  
  --
  I'm a good cook. I'm a fantastic eater. - Steven Brust
4. Re:Why restrict it at all? by TheCarp · 2013-05-29 04:12 · Score: 3, Insightful
  
  There is only one reason to restrict it...legal CYA. Remember everywhere in the world makes their own laws and many of them have restrictions on what one can do with young people, which includes paying them.
  Does paying a minor, even for such a voluntary action, require parental approval? If a 15 year old submits a bug, gets paid, and uses the money to buy drugs, could the parent sue, claiming they were irresponsible to give so much money to a teenager directly?
  Remember, lawmakers are lazy, they like to be overly broad or not think things through, I could totally see legislative attempts at curbing anything from drug use to underage prostitution hamfistedly creating problems here. Law is often not limited by its own intentions.
  In the end, I bet the answer has three letters: CYA:
  "What are the implications of allowing people under 18 to submit bugs?"
  "It depends on......."
  "Ok sorry I asked; no submissions from people under 18."
  
  --
  "I opened my eyes, and everything went dark again"
5. Re: Why restrict it at all? by skywire · 2013-05-29 04:14 · Score: 1
  
  Child labour laws usually prohibit voluntary labour by persons under a certain age (with varying ages, transitional age ranges allowed to work limited hours, etc.).
  
  --
  Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.
6. Re: Why restrict it at all? by CanHasDIY · 2013-05-29 04:27 · Score: 1
  
  Child labour laws usually prohibit voluntary labour by persons under a certain age (with varying ages, transitional age ranges allowed to work limited hours, etc.).
  Indeed; in the USA, that age is generally 16 (although exceptions do apply for work permit holders and farm kids)
  
  --
  An enigma, wrapped in a riddle, shrouded in bacon and cheese
7. Re: Why restrict it at all? by ganjadude · 2013-05-29 04:47 · Score: 1
  
  yet you can be 14 and work at a mcdonalds, at least in NY
  
  --
  have you seen my sig? there are many others like it but none that are the same
8. Re:Why restrict it at all? by mark-t · 2013-05-29 04:48 · Score: 1
  
  Or, you deal with them through an adult... say, your parents.
  
  --
  File under 'M' for 'Manic ranting'
9. Re:Why restrict it at all? by Anonymous Coward · 2013-05-29 05:02 · Score: 0
  
  (Paypal can apparently tolerate a certain low buzz of "Paypal sucks". They have considerably more trouble with Streisand-amplified flack.)
  Just wait until there are only monopolies left, and every damn one of them can tolerate a certain "buzz" of YourCompany sucks. Facebook can piss people off DAILY (charging money to send emails to the Inbox, the #FBRape campaign, and an endless shitstorm of we're-changing-default-privacy-settings-again), and yet they simply DO NOT CARE.
  Why?
  The answer is simple. Sheer numbers. As in so many damn customers there's no way you could do something to offend them all, thus almost guaranteeing success regardless of negative publicity. Charging money for individual emails would have strung CIOs up by their Startacs 10 years ago. Now, it's "meh". And people pay. And pay. And pay.
  Slap a contract on top of that, and now you've got your pissed off customers right where you want them. Kind of like the recent "surcharge" AT&T imposed on every single wireless customer that generated millions overnight.
10. Re:Why restrict it at all? by noh8rz10 · 2013-05-29 05:07 · Score: 1
  
  If a 15 year old submits a bug, gets paid, and uses the money to buy drugs, could the parent sue, claiming they were irresponsible to give so much money to a teenager directly?
  let me answer your question with a blanket YES - anybody can sue anybody for anything, for any claim. then it becomes a probability game of their odds of winning, the potential cost if you lose, and the cost of defending, even if you were to win. throw in some unquantifiables such as PR reputational costs, etc.
  
  on the other hand, the plaintiff plays the same probability game, and will only sue if there's a good chance of seeing some $$. So it's all a rent-seeking game of thuggery and extortion. welcome to tort law.
11. Re:Why restrict it at all? by TheCarp · 2013-05-29 05:27 · Score: 1
  
  > on the other hand, the plaintiff plays the same probability game, and will only sue if there's a good
  > chance of seeing some $$
  Well no, its if they believe there is a good chance, which is different from whether there is, but also, whether there is depends on what court in what country. My point is, this looks pretty clearly like it was CYA from the begining and likely something they didn't think through since it was likely viewed as more trouble than its worth.
  
  --
  "I opened my eyes, and everything went dark again"
12. Re:Why restrict it at all? by Khyber · 2013-05-29 05:29 · Score: 1
  
  ""What are the implications of allowing people under 18 to submit bugs?""
  If you won't pay them as promised, someone else will.
  Mr. Kugler should be checking his paypal account for the tidy sum I just tossed his way.
  I hope PayPal is happy, because now I know how deep this rabbit hole goes, and it's a SEVERE PCI-DSS violation, which I shall be reporting, or exploiting, I'm not sure of which, yet.
  Either way, there's about to be a HUGE shitstorm for paypal, and this will likely end up having them fully-regulated as a bank in the USA.
  And if PayPal stops his account for suspicious activity, I'll use this exploit to send EVERY PayPal member's money to him. Just to demonstrate why systems like this NEED to be fully-regulated and inspected on a WEEKLY basis.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
13. Re: Why restrict it at all? by Khyber · 2013-05-29 05:30 · Score: 1
  
  With highly restricted hours, and if McDonald's isn't following that restriction, they're about to get fucked, royally. Won't matter if it's an independent franchise or not.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
14. Re:Why restrict it at all? by Anonymous Coward · 2013-05-29 05:32 · Score: 0
  
  Charging money for individual emails
  You realize that it doesn't actually cost anything if you're allowed to by the person right? Facebook is horrible in all of the ways you mention, but at least pick your examples right. The point is sane, if people are willing to pay money to Facebook to email a stranger, they probably have something important enough for the email to go through. It's a way for artists and others to be more lax in their policy without having endless spam messages delivered daily.
  It's also a way for Facebook to make easy money, I'm not naive. But they're making money off something you just couldn't do before, not charging for a service that already existed. You can still send emails for free to people who trust you, and you can still block the feature entirely if you want, but unlike before there's now a step in between.
15. Re:Why restrict it at all? by Anonymous Coward · 2013-05-29 05:40 · Score: 0
  
  Just WAIT until they find out how real estate works!
16. Re:Why restrict it at all? by c · 2013-05-29 05:46 · Score: 2
  
  Does paying a minor, even for such a voluntary action, require parental approval?
  According to the terms of the program, yes.
  "Payment is paid out through a verified PayPal account, once the bug is fixed."
  A minor can't have a PayPal account. As well, there's a "Terms for participation" which implies a contract to submit the bug. If a minor can't enter a contract, they can't agree to the terms.
  
  --
  Log in or piss off.
17. Re:Why restrict it at all? by TheCarp · 2013-05-29 06:01 · Score: 1
  
  That is kind of tangential to the point though. Yes, those are the terms, but, what the terms are doesn't address what they can be or why they are the way they are. I meant in more general terms, can you legally pay a minor without permission from their parent? Certainly, I imagine there are places and situations where you can, unambiguously and legally do so, but its not hard at all to imagine places and situations where you cannot or where whether you can is ambiguous.
  I think this really boils down to a bunch of CYA, easiest thing to do with "minors" is set the cutoff age around where most countries make the distinction and sidestep the whole issue by not allowing minors, which, appears to be exactly what paypal decided to do.
  Not that I blame them for wanting some CYA or wanting to punt on the whole issue, I wouldn't be shocked at all if the age limit came about as a response from the lawyers about how much research it would require.....or.... to simply the scenario even more, its not even a given that they ever considered the age issue. Its entirely likely it went like this:
  "Legal said we are good on the bug bounty program, but this is the language they want added to the rules."
  "Looks good, post it."
  
  --
  "I opened my eyes, and everything went dark again"
18. Re: Why restrict it at all? by CanHasDIY · 2013-05-29 06:09 · Score: 1
  
  yet you can be 14 and work at a mcdonalds, at least in NY
  I figured as much; hence my use of the term, "generally."
  In Missouri, employing anyone under the age of 16 requires a valid work permit (exception made for farm hands).
  
  --
  An enigma, wrapped in a riddle, shrouded in bacon and cheese
19. Re:Why restrict it at all? by noh8rz10 · 2013-05-29 06:11 · Score: 1
  
  I don't think you know what CYA means... it means think in advance to minimize problems later! Sure it backfired here but there are probably hundreds of cases in which children probably as young as 11 would have sought rewards even though it would be violating child labor laws worldwide. is this what you want, for Paypal to engage child labor to search for bugs?
20. Re: Why restrict it at all? by ganjadude · 2013-05-29 07:01 · Score: 1
  
  I forgot to mention that you do need a work permit, 14-15 are restricted to some jobs (mcdonalds) and can only work a total of 20 hours and no more than 3 hours on a school day and not past 7 PM (things may have changed in the past 15 years but ..woah damn im old) 16-17 can work 32 hours or something and no more than 4 hours on a school day and not after 10 PM
  
  --
  have you seen my sig? there are many others like it but none that are the same
21. Re: Why restrict it at all? by ganjadude · 2013-05-29 07:01 · Score: 1
  
  yes you are correct. I addressed it lower in the thread.
  
  --
  have you seen my sig? there are many others like it but none that are the same
22. Re:Why restrict it at all? by bill_mcgonigle · 2013-05-29 07:39 · Score: 1
  
  Good analysis.
  If a 15 year old submits a bug, gets paid, and uses the money to buy drugs, could the parent sue, claiming they were irresponsible to give so much money to a teenager directly?
  Just to strip away the euphemisms here for clarity - Paypal likely isn't afraid of paying the youngster for good work - it's afraid of what government thugs might do to them if they do.
  I'd rather live in the world where a youth can be rewarded for diligent, intelligent work.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
23. Re:Why restrict it at all? by steelfood · 2013-05-29 08:13 · Score: 1
  
  It's all about lawsuits. Laws cannot be written with every specific case in mind (and probably should not). The very purpose of judges (and juries) is to determine the application of law in each specific case.
  The problem (in this case) is neither the judges nor the lawmakers. It's the lawyers, and the sue-happy culture. A large company's primary goal operationally is to avoid lawsuits. It's not to make money. It's not to create products. it's the avoid lawsuits. That should tell you everything about the culture.
  
  --
  "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
24. Re:Why restrict it at all? by stephanruby · 2013-05-29 08:36 · Score: 1
  
  There is only one reason to restrict it...legal CYA.
  "PayPal security is sooo bad, even a six years old can break it. "
  That would be another reason for placing an age limit on people who submit bugs, possible embarrassment.
25. Re:Why restrict it at all? by thomasw_lrd · 2013-05-29 09:42 · Score: 1
  
  Really it seems like this is a way to force younger people into criminal hacking. Hey, I found a bug on Paypal, I could do the responsible thing, and turn it in and not get paid, or I could exploit it and get paid even better. As if I needed anymore reason to hate Paypal.
  
  --
  21st Century Renaissance Man
26. Re:Why restrict it at all? by TheCarp · 2013-05-29 23:42 · Score: 1
  
  I don't consider that child labor so no. However, if you do, then yes, that's exactly what I would want; regardless of the label you put on it.
  
  --
  "I opened my eyes, and everything went dark again"
27. Re:Why restrict it at all? by noh8rz10 · 2013-05-30 02:56 · Score: 1
  
  obviously you do not have children. if you ever do you will see what I mean... trust me grasshopper...
28. Re:Why restrict it at all? by TheCarp · 2013-05-30 03:51 · Score: 1
  
  obviously the hormonal impact of having children has clouded your ability to understand what child labor actually means and why it is generally banned. If you ever do get beyond that you will see what I mean, trust me.
  
  --
  "I opened my eyes, and everything went dark again"
Why don't they just admit it. by Anonymous Coward · 2013-05-29 03:59 · Score: 0

Why don't they just admit they don't want to pay him - or anyone.
1. Re:Why don't they just admit it. by gl4ss · 2013-05-29 04:02 · Score: 1
  
  Why don't they just admit they don't want to pay him - or anyone.
  wouldn't get free work then.
  the right thing to do that wouldn't have been a pr snafu would have been to told him that he'll get his reward when he turns 18.. not that giving minors money would be illegal anyhow.
  is their rewards program constructed as a shuffle??
  
  --
  world was created 5 seconds before this post as it is.
This kid pointed out Paypal's Biggest Vunerability by garcia · 2013-05-29 03:59 · Score: 2

Their poor policy and the public's perception of that company. The more people hear about PayPal's poor internal decision making the better off everyone is about avoiding their biggest vulnerabilities.
tinfoil hat by Anonymous Coward · 2013-05-29 04:00 · Score: 0

Paypal pulling out their tinfoil hat. They could have told that to the researcher and this all would have been avoided.
I smell bullshit.
Make payment to parents or guardians by techdolphin · 2013-05-29 04:03 · Score: 1

It seems obvious to me, but if Robert Kugler is too young to receive the award, then arrange to make the payment to a parent or guardian. If somebody else discovered the vulnerability first, then again, obviously, that should have been stated in the initial contact.
1. Re:Make payment to parents or guardians by bmo · 2013-05-29 04:08 · Score: 1
  
  This all assumes that there is some sort of legal restriction on giving money for things like this.
  There isn't.
  --
  BMO
2. Re:Make payment to parents or guardians by g0bshiTe · 2013-05-29 04:09 · Score: 3, Informative
  
  He did ask that payment be sent to his parents account, they denied it.
  
  --
  I am Bennett Haselton! I am Bennett Haselton!
3. Re:Make payment to parents or guardians by Culture20 · 2013-05-29 04:23 · Score: 1
  
  It's not about the money, it's about the signing over of rights.
4. Re:Make payment to parents or guardians by Joce640k · 2013-05-29 04:52 · Score: 1
  
  It seems obvious to me, but if Robert Kugler is too young to receive the award
  Is there an age restriction on owning money?
  I'll try to remember that the next time I see girl scouts selling cookies.
  And I'll notify the authorities immediately if I see any kids mowing the neighbors lawn. It's my moral duty.
  
  --
  No sig today...
5. Re:Make payment to parents or guardians by Anonymous Coward · 2013-05-29 05:12 · Score: 0
  
  No, but there's age restrictions on entering contracts. Minors can enter contracts but can also freely back out before the age of majority. Not very likely in this case, but a company can easily find itself in trouble by entering into a contract with a minor.
6. Re:Make payment to parents or guardians by Khyber · 2013-05-29 05:32 · Score: 1
  
  "Is there an age restriction on owning money?"
  Why yes, there is, especially if something has been found to be in violation of child labor laws.
  But, this isn't the matter.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
7. Re:Make payment to parents or guardians by Joce640k · 2013-05-29 06:17 · Score: 1
  
  Who said anything about a contract? Why would you need one, are there any intellectual property rights on a vulnerabilities/bugs? Does he need to sign the ownership rights over to them so they can collect royalty payments from people who exploit it?
  He reported a vulnerability, they acknowledged it exists and that he's reported it to them.
  They're not employing him or entering into an ongoing business relationship with him, they need to STFU and give him his money as promised.
  
  --
  No sig today...
Sure, PayPal. by Anonymous Coward · 2013-05-29 04:03 · Score: 0

Let's say that we're reviewing the qualifying age so that we can get these internet assholes off our case.
Oh, but we don't want to actually pay anything, so let's also say someone else already submitted the bug.
Paypal Ebay screws kid out of bug bounty by Anonymous Coward · 2013-05-29 04:04 · Score: 0

Sure sure, we know
PayPal by Anonymous Coward · 2013-05-29 04:05 · Score: 0

Can we dedicate this thread to finding alternatives to PayPal so people don't have to interact with this horrible company and its practices.
1. Re:PayPal by g0bshiTe · 2013-05-29 04:10 · Score: 1
  
  Bitcoin
  
  --
  I am Bennett Haselton! I am Bennett Haselton!
2. Re: PayPal by Anonymous Coward · 2013-05-29 04:29 · Score: 0
  
  Nope. Try again.
Legal issues? I hardly knew her. by yuukari · 2013-05-29 04:11 · Score: 1

To be fair I can see where paypal is coming from, trying to cover their rears in case of some problems with the law when it comes to paying minors a lump sum, however if Kugler had found the bug he should've been awarded the money. If it wasn't stated in their fine print they have no choice, in my opinion. (That being said, you need to be eighteen in order to even have a paypal account, so it should render the point null).
Just shut up and pay the kid by anthony_greer · 2013-05-29 04:21 · Score: 1

That is all
Can't 'Legally' Pay a 17-Year-Old? by CanHasDIY · 2013-05-29 04:30 · Score: 4, Insightful

Pure, unfiltered bullshit.
Evidence: 16-year-olds who work at McDonald's.
C'mon, PayPal; Fuckin' a kid around is bad enough, but then having the balls to lie to his face about why? That's uber-dickish.

--
An enigma, wrapped in a riddle, shrouded in bacon and cheese
1. Re:Can't 'Legally' Pay a 17-Year-Old? by Anonymous Coward · 2013-05-29 05:17 · Score: 0
  
  I'm not saying you are wrong about Paypal being dickish or that they couldn't have found some way to pay him, but your comparison sucks. Those 16-year-old McDonald's employees work under all kinds of restrictions (e.g., what hours they can work) and are actual employees. It's not the same thing. I think Paypal would rather not pay some kid than to run afoul of child labor laws (and the even worse bad press they'd get).
2. Re:Can't 'Legally' Pay a 17-Year-Old? by Joce640k · 2013-05-29 06:21 · Score: 1
  
  run afoul of child labor laws
  Was Paypal employing him? Did they have any prior contact with him? Have they ever paid him money before?
  If people aren't allowed to buy things off minors then the Girl Scouts of America are completely screwed.
  
  --
  No sig today...
3. Re:Can't 'Legally' Pay a 17-Year-Old? by DerekLyons · 2013-05-29 06:53 · Score: 1
  
  Pure, unfiltered ignorance
  On your part, yes. (I.E. TFTFY).
  
  Evidence: I didn't know that16-year-olds who work at McDonald's only do so under special legal restrictions and with parental permission.
  Fixed that for you too.
  
  C'mon, PayPal; Fuckin' a kid around is bad enough, but then having the balls to lie to his face about why? That's uber-dickish.
  Seriously, get a clue what you're talking about. The terms of the program require an active PayPal account - which a minor can't have. The only dick in this situation is the one puffing out his chest and prattling on about things he knows nothing about.
4. Re:Can't 'Legally' Pay a 17-Year-Old? by CanHasDIY · 2013-05-29 07:26 · Score: 1
  
  Pure, unfiltered ignorance
  On your part, yes. (I.E. TFTFY).
  
  Evidence: I didn't know that16-year-olds who work at McDonald's only do so under special legal restrictions and with parental permission.
  Fixed that for you too.
  You didn't fix shit, you cocky asshole. I've worked since I was 15, and guess what? Never needed parental permission, and the only "special legal restrictions" I dealt with were that I wasn't supposed to work past a certain time (10 PM I think) on schooldays, though that never stopped management from scheduling me til close.
  Spend a little more time doing research, and a little less time being so sure of yourself, and maybe next time you won't come off as such an arrogant, know-nothing prick.
  
  --
  An enigma, wrapped in a riddle, shrouded in bacon and cheese
5. Re:Can't 'Legally' Pay a 17-Year-Old? by DerekLyons · 2013-05-29 07:50 · Score: 1
  
  You didn't fix shit, you cocky asshole. I've worked since I was 15, and guess what? Never needed parental permission, and the only "special legal restrictions" I dealt with were that I wasn't supposed to work past a certain time (10 PM I think) on schooldays
  Then you worked under very unusual circumstances. And you're ignorant enough to mistake them for being universal. (As if your inability to express yourself without profanity wasn't example enough of your ignorance.)
  
  Spend a little more time doing research, and a little less time being so sure of yourself, and maybe next time you won't come off as such an arrogant, know-nothing prick.
  Your mistake (one among many) lies in thinking I didn't do research... And being " arrogant, know-nothing prick", that's a label often applied to me by ignorant people to justify their own ignorance. It doesn't bother me one bit.
6. Re:Can't 'Legally' Pay a 17-Year-Old? by Anonymous Coward · 2013-05-29 08:24 · Score: 0
  
  Exactly. And now the PR spinmeisters are trying to do some damage control... how lame!
  Fuck paypal.
7. Re:Can't 'Legally' Pay a 17-Year-Old? by Anonymous Coward · 2013-05-29 15:46 · Score: 0
  
  You're making the mistake of thinking the Jati Jackasses running PayPal are concerned about rational thought. The broomstick is stuck too far up their self-important pompous ass to be concerned about anything beyond themselves and their immediate family managing their Serf powered Communist Monarchy.
escrow? by anthony_greer · 2013-05-29 04:32 · Score: 1

If there is an age issue, couldn't they just toss the funds into escrow, maybe an interest earning money market, and cut him a check on his 18th B-Day?
Already reported by Anonymous Coward · 2013-05-29 04:43 · Score: 1

Sure it was. Does anyone actually buy this?
Excellent motivation and publicity, Paypal! by Bearhouse · 2013-05-29 04:44 · Score: 1

Well done guys.
Clear message here kids; next time sell the exploit in a black hat forum.
Paypal, proudly fucking you over since 1998.
The message: by Opportunist · 2013-05-29 04:58 · Score: 4, Interesting

When you're young, don't report the bug to the company in question or the authorities, report it to those that can make "good use" of them. Not only do they not have any problem with you being underage, you being underage also means you most likely won't be doing time if you get caught.
It's just so win-win...

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:The message: by Insightfill · 2013-05-29 06:20 · Score: 2
  
  When you're young, don't report the bug to the company in question or the authorities, report it to those that can make "good use" of them...It's just so win-win...
  Yes, this comment was by the "Opportunist".
Whose Account ? by the+eric+conspiracy · 2013-05-29 04:59 · Score: 3, Interesting

PayPal has account eligibility requirement that you must be 18 to open an account. And yes I checked it applies in Germany.
Also you aren't supposed to let others use your account.
So how did he avoid these terms of service?
1. Re:Whose Account ? by Anonymous Coward · 2013-05-29 05:46 · Score: 0
  
  He discovered a security vulnerability... I'm sure there's something in the Paypal terms of service along the lines... "DO NOT HACK US"
  So how did he avoid these terms of service and why isn't paypal acting on his breaking them. So they're okay with him finding a security vulnerability even though he probably had to break their terms of service, but they won't compensate him for his efforts because THAT is against the ToS. It's kind of a Catch -22, could he have sold the vulnerability instead... you see how this works against Paypal no matter what.
2. Re:Whose Account ? by stephanruby · 2013-05-29 08:51 · Score: 1
  
  So how did he avoid these terms of service?
  It's a thing called parental supervision.
  No doubt one parent could have submitted the bug and gotten the money if it had just been a question of money, but how will the child be able to claim credit for discovery to his friends, to a school he will apply to, or on his resume, if instead of his own name, the name of one of his parents is listed on PayPal's web site as the person responsible for the bug discovery.
only feel a little sorry for him by RedHackTea · 2013-05-29 05:07 · Score: 1

At first, I didn't feel sorry at all. Usually, the guidelines specifically point out you must be 18+, and you agree to this upon submission. But then, I couldn't find anything about age restrictions. However, it does say "The bug bounty program is subject to change or to cancellation at any point without notice." and a bunch of other "Hey, we can screw you over if we want, and you agree to this upon submission." Therefore, I feel a little sorry for the guy because there is NO indication of an age restriction, but it's clear that Paypal can screw you over if they want (just like any legal Terms and Conditions that we all agree to everyday). If you don't want to be screwed over, just don't submit bugs. Submit bug reports for FOSS projects instead... or, call up Paypal and scream, "Show me the money!"

--
The G
More valuable than a monetary reward by Anonymous Coward · 2013-05-29 05:13 · Score: 0

Why not offer this kid an internship?
Money laundering by tepples · 2013-05-29 05:16 · Score: 1

The problem with Bitcoin is the difficulty of exchanging it for offline money. The governments of major countries have been cracking down on BTC exchanges, claiming that their potential for money laundering outweighs any lawful benefit they might offer. PayPal is big enough to be able to afford compliance with money laundering regulations.
But one alternative to PayPal is Dwolla, the payment processor that people used to use to get their money in and out of Mt. Gox.
1. Re:Money laundering by Fnord666 · 2013-05-29 06:25 · Score: 1
  
  But one alternative to PayPal is Dwolla, the payment processor that people used to use to get their money in and out of Mt. Gox.
  Another alternative would be LibertyReserve...what's that? ... oh, never mind.
  
  --
  'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
Backpedaling doesn't make you look better.... by realsilly · 2013-05-29 05:28 · Score: 1

....PayPal, it just makes you look worse. If you had that vulnerability found already, there should have been something posted somewhere.
At this point, the only way for PayPal to save face is to dole out the reward and create a new policy stating all of the rules and when the bug is reported and verified, it should be posted immediately.

--
Life takes interesting turns, but the most interest is when you're off the beaten path.
1. Re:Backpedaling doesn't make you look better.... by GameboyRMH · 2013-05-29 06:08 · Score: 1
  
  Came here to say this. "Reported by another researcher" could be a very handy boilerplate response if there's no list of found vulnerabilities. They could even post a hash of a vulnerability's description until they fix it.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
Here's another idea for Paypal by Dahamma · 2013-05-29 06:13 · Score: 1

They should ban minors from hacking their site for personal gain and entertainment as well. That would probably cut down on the majority of the script kiddie attacks, and of course would be 100% effective.
Or even better, arbitrarily RAISE the age at which people are legally allowed to hack their site - that could eliminate ALL security issues, and they'd have no need for bug bounties at all... this security stuff is so damn easy!
Something is wrong... by Larry_Dillon · 2013-05-29 08:44 · Score: 1

They received something of value and didn't pay up. I see this as a problem. They should have to give the money to the charity of the kids choice or something like that.

--
Competition Good, Monopoly Bad.
Two More Unreported Bugs by Anonymous Coward · 2013-05-30 06:23 · Score: 0

Two security issues, one serious, I've known about for several weeks are still unknown. I'm thoroughly enjoying myself, while I just watch and wait; the resulting Karma will be a bitch. (Hint: viewing account data.)