PayPal Reviewing Qualifying Age For Vulnerability Rewards

itwbennett writes "In follow-up to 17-year old Robert Kugler's claim that PayPal denied him a bug bounty because he was under 18, the company now says that it is 'investigating whether it can lower the qualifying age for vulnerability rewards for those who responsibly report security problems.' The company also said that the vulnerability had already been reported by another researcher — although they didn't mention that in the email to Kugler telling him he wouldn't be receiving payment."

Award scholarships for under-aged people

[WillAdams]

That should sidestep all the legal complications.

Re:Award scholarships for under-aged people

[Synerg1y]

OP is a dumbass, there aren't any legal complications here, just policy:

Kugler has a record for finding security problems. He's received two payments for US$4,500 from Mozilla for finding two problems in its Firefox browser and also was listed as a noted security researcher by Microsoft last month.

Mozilla had no problem paying him.

Re:Award scholarships for under-aged people

[CanHasDIY]

That should sidestep all the legal complications.

Or, they could do what child-oriented contests and websites have done since time unknown:

Kids! Get your parents to submit written permission and you too can take part in whatever the hell it is we're doing!

Re:Award scholarships for under-aged people

[anthony_greer]

it was promised as a cash reward, don't force him to spend it on university...put it in escrow and cut him a check when he turns 18 if there is an age issue

Re:Award scholarships for under-aged people

[davmoo]

Mozilla is not a publicly traded corporation and all profits are plowed back in to Mozilla.

PayPal's parent eBay, on the other hand, is a publicly traded corporation who's goal is to make a profit for stock holders. Thus laws for it are very different.

Comparing a Mozilla bug payment to a PayPal bug payment is a very apples to oranges comparison.

And you need to learn how to debate an issue without attacking others by calling them "dumbass".

Re:Award scholarships for under-aged people

[Guppy]

And give the scholarship a grand-sounding name, so the kid can get some extra mileage in buffing his resume; such documents are often read by non-technical personnel who might misunderstand "Earned $**** reward for finding security vulnerability" (OMG HAX!), but would love to see something like "Recipient of the Paypal Merit Scholarship for Computing Security Excellence in Youth".

Re:Award scholarships for under-aged people

[Trimaxion]

Mozilla is not a publicly traded corporation and all profits are plowed back in to Mozilla.

PayPal's parent eBay, on the other hand, is a publicly traded corporation who's goal is to make a profit for stock holders. Thus laws for it are very different.

Honest question:

Are you saying that Mozilla has fewer constraints with respect to paying minors because it is a non-profit org?

What if we were talking about a privately held for-profit corporation? Would they be constrained just as the publicly traded corp is?

Yeah I know... ask a lawyer... :(

Re:Award scholarships for under-aged people

[Synerg1y]

None of what you said has anything to do with the age of the bug researcher. Still a pretty stupid argument imo, name one law that would prevent a 17 year old from getting paid for finding a bug.

I do however agree that they are not the same company and would go about writing their policy around it differently, but that has nothing to do with the legality of it whatsoever.

Your "insightful" off point and irrelevant statement got mine downmodded you ho. J/k :)

And one more time just to be clear: corporate policy != law and amen for that.

Re:Award scholarships for under-aged people

[Joce640k]

"Legal Complications"

If there is legal reasons to not award people under the age of 17 with rewards and such for doing good, then the law is wrong. But then again, this is the "nanny state" where we write laws to protect people from themselves, and in the name of "protecting the children". These laws fix outlying problems at the expense of everyone else.

And remember...this is Germany, where 16 is the legal age for getting a job.

Re:Award scholarships for under-aged people

[Synerg1y]

AC, it's actually an NDA that makes the most sense that they would make him sign, a contract has a start and end date, an NDA can say something like no disclosure till the bug is fixed.

My point stands, there's no legal problem here as NDAs are not age specific.

http://en.wikipedia.org/wiki/Non-disclosure_agreement

Re:Award scholarships for under-aged people

From your link:

"A non-disclosure agreement (NDA), also known as a confidentiality agreement (CA), confidential disclosure agreement (CDA), proprietary information agreement (PIA), or secrecy agreement, is a legal contract between at least two parties"

Why restrict it at all?

[HalAtWork]

It's a voluntary process, why would they need to restrict it? It's not like it's forced child labor. If anything, it's a learning experience.

Re:Why restrict it at all?

[idontgno]

If anything, it's a learning experience.

Indeed. A valuable lesson for any impressionable youth to learn: Paypal will work very hard to screw you out of anything it can. Unless the PR blowback gets bad enough.

(Paypal can apparently tolerate a certain low buzz of "Paypal sucks". They have considerably more trouble with Streisand-amplified flack.)

Re:Why restrict it at all?

[Intrepid+imaginaut]

There may be some sort of 'ability to enter into legally binding contracts' thing going on. But seriously just hold the payment till he turns 18. Happy birthday kid!

People make things so hard for themselves sometimes.

Re:Why restrict it at all?

[nitehawk214]

It's a voluntary process, why would they need to restrict it? It's not like it's forced child labor. If anything, it's a learning experience.

Yeah, he learned that he should never report a vulnerability. At best, you get nothing for your trouble, at worst you get the FBI breaking down your door and you get Aaron Swartz'd by some overzealous DA.

Re:Why restrict it at all?

[TheCarp]

There is only one reason to restrict it...legal CYA. Remember everywhere in the world makes their own laws and many of them have restrictions on what one can do with young people, which includes paying them.

Does paying a minor, even for such a voluntary action, require parental approval? If a 15 year old submits a bug, gets paid, and uses the money to buy drugs, could the parent sue, claiming they were irresponsible to give so much money to a teenager directly?

Remember, lawmakers are lazy, they like to be overly broad or not think things through, I could totally see legislative attempts at curbing anything from drug use to underage prostitution hamfistedly creating problems here. Law is often not limited by its own intentions.

In the end, I bet the answer has three letters: CYA:

"What are the implications of allowing people under 18 to submit bugs?"
"It depends on......."
"Ok sorry I asked; no submissions from people under 18."

Re: Why restrict it at all?

[skywire]

Child labour laws usually prohibit voluntary labour by persons under a certain age (with varying ages, transitional age ranges allowed to work limited hours, etc.).

Re: Why restrict it at all?

[CanHasDIY]

Child labour laws usually prohibit voluntary labour by persons under a certain age (with varying ages, transitional age ranges allowed to work limited hours, etc.).

Indeed; in the USA, that age is generally 16 (although exceptions do apply for work permit holders and farm kids)

Re: Why restrict it at all?

[ganjadude]

yet you can be 14 and work at a mcdonalds, at least in NY

Re:Why restrict it at all?

[mark-t]

Or, you deal with them through an adult... say, your parents.

Re:Why restrict it at all?

[noh8rz10]

If a 15 year old submits a bug, gets paid, and uses the money to buy drugs, could the parent sue, claiming they were irresponsible to give so much money to a teenager directly?

let me answer your question with a blanket YES - anybody can sue anybody for anything, for any claim. then it becomes a probability game of their odds of winning, the potential cost if you lose, and the cost of defending, even if you were to win. throw in some unquantifiables such as PR reputational costs, etc.

on the other hand, the plaintiff plays the same probability game, and will only sue if there's a good chance of seeing some $$. So it's all a rent-seeking game of thuggery and extortion. welcome to tort law.

Re:Why restrict it at all?

[TheCarp]

> on the other hand, the plaintiff plays the same probability game, and will only sue if there's a good
> chance of seeing some $$

Well no, its if they believe there is a good chance, which is different from whether there is, but also, whether there is depends on what court in what country. My point is, this looks pretty clearly like it was CYA from the begining and likely something they didn't think through since it was likely viewed as more trouble than its worth.

Re:Why restrict it at all?

[Khyber]

""What are the implications of allowing people under 18 to submit bugs?""

If you won't pay them as promised, someone else will.

Mr. Kugler should be checking his paypal account for the tidy sum I just tossed his way.

I hope PayPal is happy, because now I know how deep this rabbit hole goes, and it's a SEVERE PCI-DSS violation, which I shall be reporting, or exploiting, I'm not sure of which, yet.

Either way, there's about to be a HUGE shitstorm for paypal, and this will likely end up having them fully-regulated as a bank in the USA.

And if PayPal stops his account for suspicious activity, I'll use this exploit to send EVERY PayPal member's money to him. Just to demonstrate why systems like this NEED to be fully-regulated and inspected on a WEEKLY basis.

Re: Why restrict it at all?

[Khyber]

With highly restricted hours, and if McDonald's isn't following that restriction, they're about to get fucked, royally. Won't matter if it's an independent franchise or not.

Re:Why restrict it at all?

[c]

Does paying a minor, even for such a voluntary action, require parental approval?

According to the terms of the program, yes.

"Payment is paid out through a verified PayPal account, once the bug is fixed."

A minor can't have a PayPal account. As well, there's a "Terms for participation" which implies a contract to submit the bug. If a minor can't enter a contract, they can't agree to the terms.

Re:Why restrict it at all?

[TheCarp]

That is kind of tangential to the point though. Yes, those are the terms, but, what the terms are doesn't address what they can be or why they are the way they are. I meant in more general terms, can you legally pay a minor without permission from their parent? Certainly, I imagine there are places and situations where you can, unambiguously and legally do so, but its not hard at all to imagine places and situations where you cannot or where whether you can is ambiguous.

I think this really boils down to a bunch of CYA, easiest thing to do with "minors" is set the cutoff age around where most countries make the distinction and sidestep the whole issue by not allowing minors, which, appears to be exactly what paypal decided to do.

Not that I blame them for wanting some CYA or wanting to punt on the whole issue, I wouldn't be shocked at all if the age limit came about as a response from the lawyers about how much research it would require.....or.... to simply the scenario even more, its not even a given that they ever considered the age issue. Its entirely likely it went like this:

"Legal said we are good on the bug bounty program, but this is the language they want added to the rules."
"Looks good, post it."

Re: Why restrict it at all?

[CanHasDIY]

yet you can be 14 and work at a mcdonalds, at least in NY

I figured as much; hence my use of the term, "generally."

In Missouri, employing anyone under the age of 16 requires a valid work permit (exception made for farm hands).

Re:Why restrict it at all?

[noh8rz10]

I don't think you know what CYA means... it means think in advance to minimize problems later! Sure it backfired here but there are probably hundreds of cases in which children probably as young as 11 would have sought rewards even though it would be violating child labor laws worldwide. is this what you want, for Paypal to engage child labor to search for bugs?

Re: Why restrict it at all?

[ganjadude]

I forgot to mention that you do need a work permit, 14-15 are restricted to some jobs (mcdonalds) and can only work a total of 20 hours and no more than 3 hours on a school day and not past 7 PM (things may have changed in the past 15 years but ..woah damn im old) 16-17 can work 32 hours or something and no more than 4 hours on a school day and not after 10 PM

Re: Why restrict it at all?

[ganjadude]

yes you are correct. I addressed it lower in the thread.

Re:Why restrict it at all?

[bill_mcgonigle]

Good analysis.

If a 15 year old submits a bug, gets paid, and uses the money to buy drugs, could the parent sue, claiming they were irresponsible to give so much money to a teenager directly?

Just to strip away the euphemisms here for clarity - Paypal likely isn't afraid of paying the youngster for good work - it's afraid of what government thugs might do to them if they do.

I'd rather live in the world where a youth can be rewarded for diligent, intelligent work.

Re:Why restrict it at all?

[steelfood]

It's all about lawsuits. Laws cannot be written with every specific case in mind (and probably should not). The very purpose of judges (and juries) is to determine the application of law in each specific case.

The problem (in this case) is neither the judges nor the lawmakers. It's the lawyers, and the sue-happy culture. A large company's primary goal operationally is to avoid lawsuits. It's not to make money. It's not to create products. it's the avoid lawsuits. That should tell you everything about the culture.

Re:Why restrict it at all?

[stephanruby]

There is only one reason to restrict it...legal CYA.

"PayPal security is sooo bad, even a six years old can break it. "

That would be another reason for placing an age limit on people who submit bugs, possible embarrassment.

Re:Why restrict it at all?

[thomasw_lrd]

Really it seems like this is a way to force younger people into criminal hacking. Hey, I found a bug on Paypal, I could do the responsible thing, and turn it in and not get paid, or I could exploit it and get paid even better. As if I needed anymore reason to hate Paypal.

Re:Why restrict it at all?

[TheCarp]

I don't consider that child labor so no. However, if you do, then yes, that's exactly what I would want; regardless of the label you put on it.

Re:Why restrict it at all?

[noh8rz10]

obviously you do not have children. if you ever do you will see what I mean... trust me grasshopper...

Re:Why restrict it at all?

[TheCarp]

obviously the hormonal impact of having children has clouded your ability to understand what child labor actually means and why it is generally banned. If you ever do get beyond that you will see what I mean, trust me.

This kid pointed out Paypal's Biggest Vunerability

[garcia]

Their poor policy and the public's perception of that company. The more people hear about PayPal's poor internal decision making the better off everyone is about avoiding their biggest vulnerabilities.

Re:Why don't they just admit it.

[gl4ss]

Why don't they just admit they don't want to pay him - or anyone.

wouldn't get free work then.
the right thing to do that wouldn't have been a pr snafu would have been to told him that he'll get his reward when he turns 18.. not that giving minors money would be illegal anyhow.

is their rewards program constructed as a shuffle??

Make payment to parents or guardians

[techdolphin]

It seems obvious to me, but if Robert Kugler is too young to receive the award, then arrange to make the payment to a parent or guardian. If somebody else discovered the vulnerability first, then again, obviously, that should have been stated in the initial contact.

Re:Make payment to parents or guardians

[bmo]

This all assumes that there is some sort of legal restriction on giving money for things like this.

There isn't.

--
BMO

Re:Make payment to parents or guardians

[g0bshiTe]

He did ask that payment be sent to his parents account, they denied it.

Re:Make payment to parents or guardians

[Culture20]

It's not about the money, it's about the signing over of rights.

Re:Make payment to parents or guardians

[Joce640k]

It seems obvious to me, but if Robert Kugler is too young to receive the award

Is there an age restriction on owning money?

I'll try to remember that the next time I see girl scouts selling cookies.

And I'll notify the authorities immediately if I see any kids mowing the neighbors lawn. It's my moral duty.

Re:Make payment to parents or guardians

[Khyber]

"Is there an age restriction on owning money?"

Why yes, there is, especially if something has been found to be in violation of child labor laws.

But, this isn't the matter.

Re:Make payment to parents or guardians

[Joce640k]

Who said anything about a contract? Why would you need one, are there any intellectual property rights on a vulnerabilities/bugs? Does he need to sign the ownership rights over to them so they can collect royalty payments from people who exploit it?

He reported a vulnerability, they acknowledged it exists and that he's reported it to them.

They're not employing him or entering into an ongoing business relationship with him, they need to STFU and give him his money as promised.

Re:PayPal

[g0bshiTe]

Bitcoin

Legal issues? I hardly knew her.

[yuukari]

To be fair I can see where paypal is coming from, trying to cover their rears in case of some problems with the law when it comes to paying minors a lump sum, however if Kugler had found the bug he should've been awarded the money. If it wasn't stated in their fine print they have no choice, in my opinion. (That being said, you need to be eighteen in order to even have a paypal account, so it should render the point null).

Just shut up and pay the kid

[anthony_greer]

That is all

Can't 'Legally' Pay a 17-Year-Old?

[CanHasDIY]

Pure, unfiltered bullshit.

Evidence: 16-year-olds who work at McDonald's.

C'mon, PayPal; Fuckin' a kid around is bad enough, but then having the balls to lie to his face about why? That's uber-dickish.

Re:Can't 'Legally' Pay a 17-Year-Old?

[Joce640k]

run afoul of child labor laws

Was Paypal employing him? Did they have any prior contact with him? Have they ever paid him money before?

If people aren't allowed to buy things off minors then the Girl Scouts of America are completely screwed.

Re:Can't 'Legally' Pay a 17-Year-Old?

[DerekLyons]

Pure, unfiltered ignorance

On your part, yes. (I.E. TFTFY).
 

Evidence: I didn't know that16-year-olds who work at McDonald's only do so under special legal restrictions and with parental permission.

Fixed that for you too.
 

C'mon, PayPal; Fuckin' a kid around is bad enough, but then having the balls to lie to his face about why? That's uber-dickish.

Seriously, get a clue what you're talking about. The terms of the program require an active PayPal account - which a minor can't have. The only dick in this situation is the one puffing out his chest and prattling on about things he knows nothing about.

Re:Can't 'Legally' Pay a 17-Year-Old?

[CanHasDIY]

Pure, unfiltered ignorance

On your part, yes. (I.E. TFTFY).

 

Evidence: I didn't know that16-year-olds who work at McDonald's only do so under special legal restrictions and with parental permission.

Fixed that for you too.

You didn't fix shit, you cocky asshole. I've worked since I was 15, and guess what? Never needed parental permission, and the only "special legal restrictions" I dealt with were that I wasn't supposed to work past a certain time (10 PM I think) on schooldays, though that never stopped management from scheduling me til close.

Spend a little more time doing research, and a little less time being so sure of yourself, and maybe next time you won't come off as such an arrogant, know-nothing prick.

Re:Can't 'Legally' Pay a 17-Year-Old?

[DerekLyons]

You didn't fix shit, you cocky asshole. I've worked since I was 15, and guess what? Never needed parental permission, and the only "special legal restrictions" I dealt with were that I wasn't supposed to work past a certain time (10 PM I think) on schooldays

Then you worked under very unusual circumstances. And you're ignorant enough to mistake them for being universal. (As if your inability to express yourself without profanity wasn't example enough of your ignorance.)
 

Spend a little more time doing research, and a little less time being so sure of yourself, and maybe next time you won't come off as such an arrogant, know-nothing prick.

Your mistake (one among many) lies in thinking I didn't do research... And being " arrogant, know-nothing prick", that's a label often applied to me by ignorant people to justify their own ignorance. It doesn't bother me one bit.

escrow?

[anthony_greer]

If there is an age issue, couldn't they just toss the funds into escrow, maybe an interest earning money market, and cut him a check on his 18th B-Day?

Already reported

Sure it was. Does anyone actually buy this?

Excellent motivation and publicity, Paypal!

[Bearhouse]

Well done guys.
Clear message here kids; next time sell the exploit in a black hat forum.

Paypal, proudly fucking you over since 1998.

The message:

[Opportunist]

When you're young, don't report the bug to the company in question or the authorities, report it to those that can make "good use" of them. Not only do they not have any problem with you being underage, you being underage also means you most likely won't be doing time if you get caught.

It's just so win-win...

Re:The message:

[Insightfill]

When you're young, don't report the bug to the company in question or the authorities, report it to those that can make "good use" of them...It's just so win-win...

Yes, this comment was by the "Opportunist".

Whose Account ?

[the+eric+conspiracy]

PayPal has account eligibility requirement that you must be 18 to open an account. And yes I checked it applies in Germany.

Also you aren't supposed to let others use your account.

So how did he avoid these terms of service?

Re:Whose Account ?

[stephanruby]

So how did he avoid these terms of service?

It's a thing called parental supervision.

No doubt one parent could have submitted the bug and gotten the money if it had just been a question of money, but how will the child be able to claim credit for discovery to his friends, to a school he will apply to, or on his resume, if instead of his own name, the name of one of his parents is listed on PayPal's web site as the person responsible for the bug discovery.

only feel a little sorry for him

[RedHackTea]

At first, I didn't feel sorry at all. Usually, the guidelines specifically point out you must be 18+, and you agree to this upon submission. But then, I couldn't find anything about age restrictions. However, it does say "The bug bounty program is subject to change or to cancellation at any point without notice." and a bunch of other "Hey, we can screw you over if we want, and you agree to this upon submission." Therefore, I feel a little sorry for the guy because there is NO indication of an age restriction, but it's clear that Paypal can screw you over if they want (just like any legal Terms and Conditions that we all agree to everyday). If you don't want to be screwed over, just don't submit bugs. Submit bug reports for FOSS projects instead... or, call up Paypal and scream, "Show me the money!"

Money laundering

[tepples]

The problem with Bitcoin is the difficulty of exchanging it for offline money. The governments of major countries have been cracking down on BTC exchanges, claiming that their potential for money laundering outweighs any lawful benefit they might offer. PayPal is big enough to be able to afford compliance with money laundering regulations.

But one alternative to PayPal is Dwolla, the payment processor that people used to use to get their money in and out of Mt. Gox.

Re:Money laundering

[Fnord666]

But one alternative to PayPal is Dwolla, the payment processor that people used to use to get their money in and out of Mt. Gox.

Another alternative would be LibertyReserve...what's that? ... oh, never mind.

Backpedaling doesn't make you look better....

[realsilly]

....PayPal, it just makes you look worse. If you had that vulnerability found already, there should have been something posted somewhere.

At this point, the only way for PayPal to save face is to dole out the reward and create a new policy stating all of the rules and when the bug is reported and verified, it should be posted immediately.

Re:Backpedaling doesn't make you look better....

[GameboyRMH]

Came here to say this. "Reported by another researcher" could be a very handy boilerplate response if there's no list of found vulnerabilities. They could even post a hash of a vulnerability's description until they fix it.

Here's another idea for Paypal

[Dahamma]

They should ban minors from hacking their site for personal gain and entertainment as well. That would probably cut down on the majority of the script kiddie attacks, and of course would be 100% effective.

Or even better, arbitrarily RAISE the age at which people are legally allowed to hack their site - that could eliminate ALL security issues, and they'd have no need for bug bounties at all... this security stuff is so damn easy!

Something is wrong...

[Larry_Dillon]

They received something of value and didn't pay up. I see this as a problem. They should have to give the money to the charity of the kids choice or something like that.