PayPal have joined the likes of Facebook, Google, Mozilla, Samsung and have put up a bounty for professional security researchers (hackers!) who find bugs in the PayPal websites or products. PayPal believe that they are the first financial company to offer such a bounty.
This is an interesting move and PayPal Chief Information Security Officer Michael Barrett admits he didn’t like the idea of offering cash for bug reports but has been convinced by the results from other companies. It’s a bit like Open Source Software – because countless engineers from around the world are working on the code bugs tend to be found and fixed significantly quicker than corporate software.
By enlisting the help of independent security professionals and making it worth their while to flag potential issues then PayPal can often provide fixes before anyone else is even aware. This is already happening, the only difference is that PayPal will now offer a bug bounty when issues are reported.
Of course it’s not acceptable to use the excuse of a bug bounty to use security research in a way that could cause denial of service nor to use an exploit to view another PayPal user’s data. That aside though if you think you can find a bug in their websites or other products the full PayPal Bug Bounty Program rules are published on the PayPal website.