PayPal offers bug bounty to uncover security holes

PayPal (s ebay) was one of the first companies to offer a bug reporting program, giving security researchers a way to report flaws with its payment service. But like Google (s goog), Facebook (s fb) and Mozilla, PayPal is now upping the ante with a paid bug bounty program, which will reward researchers for finding holes in

Michael Barrett, PayPal’s chief information security officer, said he believes this is the first time a financial services company will implement a bounty program. While he had initial reservations, he’s found that a paid program can produce results. “It’s clearly an effective way to increase researchers attention on Internet-based services and therefore find more potential issues,” he wrote in a blog post.

White hat researchers can focus on four categories:  XSS (Cross Site Scripting), CSRF (Cross Site Request Forgery), SQL Injection or Authentication Bypass. After submitting bug reports through the existing PGP-encrypted reporting process, PayPal will set about determining the severity of the problem and will issue a fix if necessary. The first researcher to discover a previously unknown bug will be awarded at the discretion of PayPal, which will determine the bounty amount. And the bounty will, of course, be paid via PayPal.

Researchers will be required to share the security hole with PayPal first, giving the company a reasonable amount of time to respond before making it public. PayPal promises not to bring a private action or refer the matter to authorities. You can find more information about the program here.

It’s unclear how much more of a motivation this will serve for security researchers. There’s no set amount set aside for the bounty program so it’s unclear what researchers can expect to be paid. Google last month increased the bounty it pays for uncovering security holes, from a maximum reward of $3,133 to $20,000. Mozilla pays out $3,000 for each eligible security bug. Facebook offers at least $500 for each security flaw discovered and reported that it had paid out $40,000 in the first few weeks of its bounty program last summer. But the promise of some money should prompt at least some people to look more closely at finding holes in, which coincidentally got a big redesign earlier this week.