PayPal is hackable, denies teenager bounty for finding the bug

PayPal, the popular online payment transfer service owned by Ebay, is currently under fire on two fronts. The banking service is vulnerable to attck, thanks to a bug in its system, and also is refusing to pay its standard bounty to the person who found said vulnerability, citing that security researches must be at least 18 years of age, leaving the 17 year old out in the cold.

German Robert Kugler, the security researcher behind the bug, posted details about the vulnerability on the Full Disclosure mailing list Friday.

“Unfortunately PayPal disqualified me from receiving any bounty payment because of being 17 years old” Kugler, who turns 18 next March, wrote on Seclists.

The bug bounty program has been in effect since June of 2012. Other companies, including Firefox and Mozilla have similar programs and PayPal does not list any age requirement in the literature for its standards of this.

As for the flaw, it is in XSS (cross-site scripting) and the company plans to fix the issue, but is refusing comment on the failure to pay the bounty. GNC earlier sent an email to the service, but has received no reply.