A lovely information leak on Paypal's front-page is if you attempt to login with a banned account, and any password whatsoever, it gives you a nice error message saying that account is banned (therefore confirming the account exists, info leak #1) and also gives the current account balance (info leak #2).<p>I know this because my account is banned.<p>Why's my account banned? Because in 2006 I received an unsolicited phone call from somewhere in Nebraska claiming to be Paypal and informing me they needed to verify my account credentials. I played along with the obvious phishing attempt for a few minutes until they demanded the email and mailing address on my account to "verify I was the account holder". I told the woman on the other end to go fuck herself and hung up. Turns out it <i>was</i> Paypal and they banned me for failing account verification.<p>Fuck Paypal.
Anecdotally I've seen similar bad behaviors in a lot of bug bounty programs:<p>- I haven't submitted to PayPal, but I do have a minor eBay XSS which I reported in May (eBay doesn't have a bounty program, but they do have a responsible disclosure policy: <a href="http://pages.ebay.com/securitycenter/Researchers.html" rel="nofollow">http://pages.ebay.com/securitycenter/Researchers.html</a>). The last time I asked if the issue was patched I was told "Not yet. We'll let you know when this is resolved." This was in June, I haven't re-tested recently.<p>- When CCBill had a bug bounty program I was able to gain access to their admin panel because it was publicly accessible and linked to via a directory index. That followed a story similar to the one here (I reported it, it was rejected as a duplicate, I followed up about a month later when it still wasn't patched and they quietly patched it and paid me money)<p>- Yandex recently launched a bug bounty program. So far I've submitted 3 or 4 issues. I've only heard about one of them: it was marked as a duplicate, which is fine, but weeks later the issue still isn't patched.<p>That being said there <i>are</i> companies like Google, Mozilla, Facebook, Etsy, GitHub, Reddit, and many others which take responsible disclosure of security issues seriously. But it does seem like certain companies need to re-examine how they handle reports from external researchers.
I've actually submitted, and was recently paid for a Paypal XSS bug. I had the same issue with the expired PGP key and also received the new key from them manually. The whole process took around 4 months to complete for most of which I was left in the dark. The only notification received came in every 2 weeks to notify me that I was still in queue. Paypal paid me $250 initially and another $500 after the bug was fixed.The initial $250 was actually submitted to the email address on the account I was testing with (which had actually already been "Restricted") as opposed my real PayPal address which they requested and I had provided. I was actually surprised by the amount as at no point was I told how much I would receive (I had originally expected the second payment to also be $250). I appreciate the program but they have a lot to learn, in comparison the same process with Etsy took less than a day for them to replicate/patch. Google even with its size takes roughly 3-4 weeks and communicates fairly quickly throughout the entire process. I will say it was rather nice to be able to cash out the bounty in just a few days after each payment but compared to the rest of the companies with bug bounty programs, PayPal's ranks lowest in my opinion.
As an example of a <i>good</i> bug bounty program, my experience with Google was excellent.<p>If you're interested, I wrote about it here: <a href="http://blog.andrewcantino.com/blog/2011/12/14/hacking-google-for-fun-and-profit/" rel="nofollow">http://blog.andrewcantino.com/blog/2011/12/14/hacking-google...</a>
Maybe the writer should email the CEO or whoever it was that a week or 2 back was announcing Paypal's brave new era of happiness, joy and customer service.