We found 6 critical PayPal vulnerabilities – and PayPal punished us for it

Found on Cybernews on Monday, 24 February 2020

Ever since PayPal moved its bug bounty program to HackerOne, its entire system for supporting bug bounty hunters who identify and report bugs has become more opaque, mired in illogical delays, vague responses, and suspicious behavior.

When we pushed the HackerOne staff for clarification on these issues, they removed points from our Reputation scores, relegating our profiles to a suspicious, spammy level. This happened even when the issue was eventually patched, although we received no bounty, credit, or even a thanks.

Lesson learned? Either sell your PayPal exploits on underground markets, or make them immediately public as 0-days and let them deal with it that way. No good deed goes unpunished when it comes to PayPal.

Browse all articles« Previous « » Next »