PayPal Denies Teen Reward For Finding Bug

itwbennett writes "You have to be 18 to qualify for PayPal's bug bounty program, a minor detail that 17-year old Robert Kugler found out the hard way after being denied a reward for a website bug he reported. Curiously, the age guideline isn't in the terms and conditions posted on the PayPal website. Kugler was informed by email that he was disqualified because of his age."

Paypal suck.

[aliquis]

^ That's all.

Why don't businesses get it?

[singingjim1]

That's a REALLY good way to generate positive publicity for your company - act like a douche.

The next bug....

[Anonymous Coward]

So, the next time a 17yo finds a bug, they don't report it, the exploit it.

Sounds like a plan.

Paypal, perhaps all future underage rewards be in the form of scholarships?

Just give the kid his money

[TWiTfan]

I'm pretty sure most shareholders would rather you part with tiny sum of money that you owe this kid than to take the tsunami of bad PR and bad faith that would result in you being dicks about it.

Briliant.

[headhot]

Way to piss off the community you asked to hack your system. I'm sure this will go well.

Re:Paypal suck.CROOKS

[Anonymous Coward]

They're crooks.

Re:Why don't businesses get it?

[Mike Frett]

Because the number of users whom don't care or didn't read this news is greater than the people that do. And they will continue to use the service no matter what.

Re:I could be worse.

[iggymanz]

or they could give it to his guardian or parents, or at least ask him to name a charity for it to be donated. In short, a dozen ways they could award the money if they weren't cheap-asses, and used their brain a little.

Let this be a Lesson

[bengoerz]

If Paypal won't pay the kid for bugs in its system, I bet someone else will.

Re:The next bug....

[click2005]

If I was him, next time I'd setup a system where people could donate bitcoins. Once the total reached the target amount the exploit gets released with the largest donator getting to choose who it gets released to.

They could have placed it in a college scholarship

[Picass0]

"Here's a few bucks in a bank account for next year when you go to school!" Oh, no. They didn't think of that. Creeps.

Perverse incentive

[wanderfowl]

"Remember kids: If you find a bug in Paypal's system, you'll get paid more for selling it to the black hats."

So they are going to do the right thing right?

[Marrow]

And hold the money for him until he is 18? And then give it to him. That would satisfy their policies wouldnt it?

Re:They could have placed it in a college scholars

[mark-t]

While I can appreciate where your skepticism is coming from, you have to realize that Paypal freezing people's accounts is actually not a typical thing. For every person that this sort of thing happens to, there are many hundreds or thousands of others that it does not. Not that I'm saying that it happens at all is acceptable, but it's not statistically valid to assume that something which happens a tiny fraction of 1% of the time might be sufficient reason to believe that one should actually be actively *expecting* it to happen at any particular time.

Re:Why don't businesses get it?

[fuzzyfuzzyfungus]

Oh, they could have done any number of things that aren't "be a total asshole".

My point was merely that it is practically boilerplate for contests to have an "Applicants must be US residents 18 years or older" clause to keep legal complexity down, so that part of the story isn't too unexpected. It's just the not having that clause, and then springing it on him anyway, and not even trying to make amends in some other fashion, that is just classic Paypal... Merely forbidding under-18's, because they are a greater pain to deal with, is pretty normal.

Secret conditions

[Geoffrey.landis]

So, basically, they have secret conditions to their offer to pay for revealing of bugs, and they don't tell anybody what those secret conditions are.

So, uh, why would anybody expect to be paid? What other secret conditions do they have, which they can reveal at any time and say "oh, so sorry, but one of our terms is that we don't pay under (xx) conditions."

--I'm sorry, but we don't pay if you work for a competitor, or a company that we deem might be a competitor in the future
--I'm sorry, but we don't pay if it's a vulnerability that can be traced to a flaw in an Adobe product, or in a commercial database program we may use that was purchased from an commercial source.
--I'm sorry, but we don't pay if you're from a country that doesn't speak English.
--I'm sorry, but we don't pay if the vulnerability is discovered by somebody from states with names beginning with a vowel.
--I'm sorry, but we don't pay if the vulnerability is one that is only active on days of the week ending in "y".

Re:Why don't businesses get it?

[Anonymous Coward]

No, it isn't obsolete and does matter. Try to get a book published if you're ignorant of grammar. Now, in a forum like this? If you're going to use "whom" you'd better be damned sure you're using it correctly or you'll look both pretentious and ignorant at the same time. Faux intellectuals are annoying. If you don't know when to use "whom" and when to use "who", just don't use "whom" at all. But don't expect anyone to believe you're ever stepped foot in a community college, let alone a university.

Leave "whom" to the pros, kid. If you're ignorant about a subject, STFU about it except for asking questions and listen. Nobody ever learned anything by spouting off shit they were ignorant about. Pretending to be more knowlegable than you actually are will leave you ignorant and leave everyone else laughing.

scholarship?

[schlachter]

Give the fucking kid a scholarship to college...or a paid internship at Paypal. Is it not possible for anyone to do any serious work until they are 18 yrs? wtf

Re:scholarship?

[sleigher]

I just can't wait til the pissed off kid finds the next bug... Maybe he already did and only gave them the small one. I can hope... fuck paypal

Re:Why don't businesses get it?

[pla]

They are a bank and have to respect the law.

They have fought tooth and nail - successfully - to remain very much not a bank. Banks have extensive regulations regarding when, how, and for how long they can lock you out of access to your own money, which runs contrary to Paypal's "when in doubt, just steal from our customers" business model.


No business with minors is one of them.

First of all, this kid already had a Paypal account. They never hesitated to take his money, and only mentioned this rule when it came time to pay some out.

And second - Just "no". Doing business with kids imposes a small extra burden on the company to make sure the parents approve, or they risk having a reduced ability to pass the buck on any derived liability. A bit more stringent, we have COPPA adding a ton of privacy requirements for kids under 13, but that doesn't apply here (and even then doesn't make such accounts illegal, it just requires parental approval and blocks the company from tracking/selling certain information about the kids).

Re:Why don't businesses get it?

[IP_Troll]

but as the kid under 18 you or your guardian can void the contract at any time, which would mean Paypal wouldn't have the right to use the information you gave them. Now consider what happens if they fixed a bug based on your information, shipped a product and suddenly they have no permission anymore to use the information. Ugly.

If someone discovers a flaw in a system, you are not barred from ever fixing that flaw in the future. Whether or not the person that discovered the flaw is a minor is irrelevant.

If they offer a potential code fix you can chose not to use their code and avoid all liability.

You can try to fabricate a strawman argument to try to prove your point, but what you said is just plain wrong.

Re:Why don't businesses get it?

[Anonymous Coward]

Not the same AC, but the fact that I did not even notice the typo until you pointed it out kinda supports the AC's point.

Re:scholarship?

[lgw]

It's not just the security aspect - presumably PayPal is also doing this whole exercise to better their reputation in general. How's that working out?

Re:Why don't businesses get it?

[tlhIngan]

PayPal's assholishness is the stuff of legend. PayPal's customer service nightmares alone have been covered by the major media plenty of times. And yet, people still choose to do business with them. Go figure.

Because the alternatives are actually worse than paypal. A real merchant account is pretty damn abusive as well, and that's provided you qualify. If you sell trinkets irregularly over the Internet, you may not even qualify for a merchant account (they often have minimum transactions per month, or you pay a fee).

Things like Square work if you have the card or can get someone to send you the card information (which I believe has to be manually entered and doesn't qualify for the low Square rate).

The end result really is that if you want to accept a payment, Paypal is the only option for many. Well, you could save the 5% paypal fee and demand your customers get you a money order or something, but the inconvenience would generally put off many of your customers.

Re:scholarship?

[dissy]

Seriously, paypal done fucked up once more.

They did a great job teaching this kid "I could sell it to paypal for zero dollars, or I can auction it on this underground forum starting at $5000"

The only thing the kid even asked paypal for was a written statement of the accomplishment to put on his resume, and they won't even send that!
Even Microsoft lists him as a security researcher for the updates they have pushed fixing bugs this kid has found and reported to them!

The worst part is, paypal has also just taught these facts to everyone else who happens to know of an exploit in their system, or ever finds one in the future.

Smart move paypal *golf clap* smart move