Let me provide an answer regarding the conversation of the young researcher < Paypal and the 13 more paypal xss post.
Priority #1 - PayPal checks if all rules are successful granted Priority #2 - PayPal checks & validate the issue #1 The guy did not read the participation rules and made at the end a full disclosure for fame #2 The issue was already reported and paypal is preparing a patch with priority influence If you do not want to see or accept the truth ... you should as minimum grant the researcher the credits. The little indian forcer scene from the govt with the mohit kumar mythology wants there bugs patched within one day and tomorrow get a payout but in the real world this is not possible easily. They also have concepts to prevent and check the affects of patches and co. In this case the little guy had no knowledge about the issue was already reported multiple times and the others was all silent. At the end he lost all ... he got no money, his bug got not accepted and he will not get anymore the possibility to report future issues because he broke the policy with a full disclosure for no reason. I will continue to report my issues to paypal to get bug bounty rewards since yet all was correct. When i saw the news i was a bit stunned how evil the news groups published the news against paypal since the facts are on the table. ~bkm -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: [email protected] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
