PayPal offers rewards for software bugs

Online payment company PayPal has joined the growing number of companies offering bounties or rewards for bugs in its systems. Chief information security officer Michael Barrett said that while PayPal is one of the first firms to implement a bug-reporting program, it is sweetening the deal. "Today I’m pleased to announce that we have updated our original bug reporting process into a paid 'bug bounty' program," he said in a June 21 blog post. "The experience from other companies such as Facebook, Google, Mozilla, Samsung and others who have  implemented similar programs has been very positive," he added. He said a bounty system is an effective way to increase researchers' attention on Internet-based services and find more potential issues. Under the program, researchers submit bug reports to PayPal via the same secure reporting process using PGP encryption that it had in place previously. PayPal will then categorize the report into one of four categories:

"We will then determine the severity and priority of the problem and our developers will fix the issue and then release the fix into our production environment," he said. Barrett said PayPal then pays the researcher – via PayPal, of course – once the bug is fixed. "While a small handful of other companies have implemented bug bounties, we believe  we are the first financial services company to do so. It’s yet another example of the innovation that PayPal is bringing to shake up the industry as the world moves more and more payments online," he added. A separate article on Sophos said that while PayPal did not give figures on how much it is willing to pay, other companies have made large offers. It said Google boosted its maximum reward from $3,133 to $20,000 and added a $10,000 payment for SQL injection bugs or for what it deems to be "significant" authentication bypass or data leak vulnerabilities. In 2010, Mozilla increased its payout to $3,000 for each eligible security bug. It also broadened the program's scope to include not only Firefox and Thunderbird but also Firefox Mobile and any Mozilla services that rely on those products. Facebook pays at least $500 for security hole reports. Last summer, Facebook chief security officer Joe Sullivan reported that the company had paid out over $40,000 within the first three weeks of the company's decision to pay bounties. "Kudos. Let's hope the trend continues to grow," it said. — LBG, GMA News