Skip to content

Teenager Finds Bug in PayPal Site, PayPal Denies Reward

May 28, 2013

PayPal stiffs teenager from bug reward

By Gilbert Falso :: 9:34 AM

When coders and online security researchers find errors in websites or software, the companies behind the programs will often pay out a bounty to the person who discovered the issue. Companies like Google and Facebook have very lucrative reward incentive programs, with payouts reaching from $100 to several thousand dollars, depending on the severity of the issue.

PayPal, the online money transfer website, also has a bug bounty program, and is withholding payment from a German teenager for discovery of a bug, because the teen is not yet 18 years old.

Robert Kugler is a German student who has found bugs for companies like Microsoft and Mozilla in the past. His work on uncovering problems in Mozilla’s Firefox browser has earned him about $4,500 over the past two years.

On PayPal’s website, the company lists the terms for rewarding people who find bugs, but mentions nothing about the age of the discoverer. One of the stipulations for PayPal’s program is that the finder have a PayPal account that money can be transferred in to.

Kugler has asked PayPal to transfer the funds to a PayPal account managed by his parents instead, but the company has not yet addressed his request. At a minimum, Kugler would like for PayPal to acknowledge his bug detective work in a form that he could use for a job application letter.

“I don’t want to allege PayPal a kind of bug bounty cost saving, but it’s not the best idea when you’re interested in motivated security researchers,” Kugler commented on the Seclists.org forum, a website for discussing security vulnerabilities in commercial software and websites.

PayPal has not commented publicly on this story.