PayPal Reviewing Qualifying Age For Vulnerability Rewards

itwbennett writes "In follow-up to 17-year old Robert Kugler's claim that PayPal denied him a bug bounty because he was under 18, the company now says that it is 'investigating whether it can lower the qualifying age for vulnerability rewards for those who responsibly report security problems.' The company also said that the vulnerability had already been reported by another researcher — although they didn't mention that in the email to Kugler telling him he wouldn't be receiving payment."

Award scholarships for under-aged people

[WillAdams]

That should sidestep all the legal complications.

Re:Award scholarships for under-aged people

[Synerg1y]

OP is a dumbass, there aren't any legal complications here, just policy:

Kugler has a record for finding security problems. He's received two payments for US$4,500 from Mozilla for finding two problems in its Firefox browser and also was listed as a noted security researcher by Microsoft last month.

Mozilla had no problem paying him.

Re:Award scholarships for under-aged people

[Guppy]

And give the scholarship a grand-sounding name, so the kid can get some extra mileage in buffing his resume; such documents are often read by non-technical personnel who might misunderstand "Earned $**** reward for finding security vulnerability" (OMG HAX!), but would love to see something like "Recipient of the Paypal Merit Scholarship for Computing Security Excellence in Youth".

Re:Award scholarships for under-aged people

[Synerg1y]

None of what you said has anything to do with the age of the bug researcher. Still a pretty stupid argument imo, name one law that would prevent a 17 year old from getting paid for finding a bug.

I do however agree that they are not the same company and would go about writing their policy around it differently, but that has nothing to do with the legality of it whatsoever.

Your "insightful" off point and irrelevant statement got mine downmodded you ho. J/k :)

And one more time just to be clear: corporate policy != law and amen for that.

Why restrict it at all?

[HalAtWork]

It's a voluntary process, why would they need to restrict it? It's not like it's forced child labor. If anything, it's a learning experience.

Re:Why restrict it at all?

[idontgno]

If anything, it's a learning experience.

Indeed. A valuable lesson for any impressionable youth to learn: Paypal will work very hard to screw you out of anything it can. Unless the PR blowback gets bad enough.

(Paypal can apparently tolerate a certain low buzz of "Paypal sucks". They have considerably more trouble with Streisand-amplified flack.)

Re:Why restrict it at all?

[TheCarp]

There is only one reason to restrict it...legal CYA. Remember everywhere in the world makes their own laws and many of them have restrictions on what one can do with young people, which includes paying them.

Does paying a minor, even for such a voluntary action, require parental approval? If a 15 year old submits a bug, gets paid, and uses the money to buy drugs, could the parent sue, claiming they were irresponsible to give so much money to a teenager directly?

Remember, lawmakers are lazy, they like to be overly broad or not think things through, I could totally see legislative attempts at curbing anything from drug use to underage prostitution hamfistedly creating problems here. Law is often not limited by its own intentions.

In the end, I bet the answer has three letters: CYA:

"What are the implications of allowing people under 18 to submit bugs?"
"It depends on......."
"Ok sorry I asked; no submissions from people under 18."

Re:Why restrict it at all?

[c]

Does paying a minor, even for such a voluntary action, require parental approval?

According to the terms of the program, yes.

"Payment is paid out through a verified PayPal account, once the bug is fixed."

A minor can't have a PayPal account. As well, there's a "Terms for participation" which implies a contract to submit the bug. If a minor can't enter a contract, they can't agree to the terms.

This kid pointed out Paypal's Biggest Vunerability

[garcia]

Their poor policy and the public's perception of that company. The more people hear about PayPal's poor internal decision making the better off everyone is about avoiding their biggest vulnerabilities.

Re:Make payment to parents or guardians

[g0bshiTe]

He did ask that payment be sent to his parents account, they denied it.

Can't 'Legally' Pay a 17-Year-Old?

[CanHasDIY]

Pure, unfiltered bullshit.

Evidence: 16-year-olds who work at McDonald's.

C'mon, PayPal; Fuckin' a kid around is bad enough, but then having the balls to lie to his face about why? That's uber-dickish.

The message:

[Opportunist]

When you're young, don't report the bug to the company in question or the authorities, report it to those that can make "good use" of them. Not only do they not have any problem with you being underage, you being underage also means you most likely won't be doing time if you get caught.

It's just so win-win...

Re:The message:

[Insightfill]

When you're young, don't report the bug to the company in question or the authorities, report it to those that can make "good use" of them...It's just so win-win...

Yes, this comment was by the "Opportunist".

Whose Account ?

[the+eric+conspiracy]

PayPal has account eligibility requirement that you must be 18 to open an account. And yes I checked it applies in Germany.

Also you aren't supposed to let others use your account.

So how did he avoid these terms of service?