Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Bug Security The Almighty Buck Your Rights Online

PayPal Denies Teen Reward For Finding Bug 318

itwbennett writes "You have to be 18 to qualify for PayPal's bug bounty program, a minor detail that 17-year old Robert Kugler found out the hard way after being denied a reward for a website bug he reported. Curiously, the age guideline isn't in the terms and conditions posted on the PayPal website. Kugler was informed by email that he was disqualified because of his age."
This discussion has been archived. No new comments can be posted.

PayPal Denies Teen Reward For Finding Bug

Comments Filter:
  • Paypal suck. (Score:5, Insightful)

    by aliquis ( 678370 ) on Tuesday May 28, 2013 @09:13AM (#43840127)

    ^ That's all.

    • by Anonymous Coward

      They're crooks.

    • Re:Paypal suck. (Score:5, Informative)

      by Anonymous Coward on Tuesday May 28, 2013 @10:11AM (#43840793)

      At least provide the link [paypalsucks.com].

      • by KGIII ( 973947 ) <uninvolved@outlook.com> on Tuesday May 28, 2013 @05:09PM (#43845023) Journal

        That site has been around forever and a day it seems. There are a number of people who have been screwed over by the company. I wouldn't have any sympathy for those people getting screwed except that some of them appear to (and have provided documentation that appears to be proof) be following all the various rules that PayPal has and yet they're still getting screwed over.

        One of the biggest and most common problems I see are the jackasses that reverse the charges because they claim they never got the product. Some of them have been so egregious that they claim the product was not new even though the ad provided by the seller clearly indicated that the product was in used condition. Yet PayPal still found in favor of the buyer and forced the refund. They've locked entire accounts worth thousands of dollars at their whim.

        I'm beginning to think that if they want to act like a bank that they need to be regulated as a bank but we've all seen how poorly bank regulation is and how ineffective the government's monitoring of banks is so I'm not sure how much of an actual benefit that would be.

        In this case it seems to me that PayPal could easily work with the teen and find an adult who could be awarded the reward on the teens behalf. But, well, why do that when they can simply refer to the rules and save the reward money? Assholes... A part of me wants to say that it is the teens fault for not being aware of the rules or for thinking that the rules don't apply to them. Indeed that would normally have been my attitude. However, this is PayPal and, due to that fact alone, means that I'm not inclined to reward PayPal with good-will thinking or benefit of the doubt thinking.

    • scholarship? (Score:5, Insightful)

      by schlachter ( 862210 ) on Tuesday May 28, 2013 @10:20AM (#43840979)

      Give the fucking kid a scholarship to college...or a paid internship at Paypal. Is it not possible for anyone to do any serious work until they are 18 yrs? wtf

      • Re:scholarship? (Score:5, Insightful)

        by sleigher ( 961421 ) on Tuesday May 28, 2013 @10:29AM (#43841065)
        I just can't wait til the pissed off kid finds the next bug... Maybe he already did and only gave them the small one. I can hope... fuck paypal
        • Re:scholarship? (Score:5, Insightful)

          by lgw ( 121541 ) on Tuesday May 28, 2013 @12:18PM (#43842391) Journal

          It's not just the security aspect - presumably PayPal is also doing this whole exercise to better their reputation in general. How's that working out?

        • Re:scholarship? (Score:5, Insightful)

          by dissy ( 172727 ) on Tuesday May 28, 2013 @03:51PM (#43844409)

          Seriously, paypal done fucked up once more.

          They did a great job teaching this kid "I could sell it to paypal for zero dollars, or I can auction it on this underground forum starting at $5000"

          The only thing the kid even asked paypal for was a written statement of the accomplishment to put on his resume, and they won't even send that!
          Even Microsoft lists him as a security researcher for the updates they have pushed fixing bugs this kid has found and reported to them!

          The worst part is, paypal has also just taught these facts to everyone else who happens to know of an exploit in their system, or ever finds one in the future.

          Smart move paypal *golf clap* smart move

      • Re:scholarship? (Score:4, Informative)

        by funwithBSD ( 245349 ) on Tuesday May 28, 2013 @10:30AM (#43841071)

        No, but generally speaking you cannot enter a contract with a minor, which is probably the legal issue. Age of majority is variable, but in California that is 18 ys old.

        They should find a way around it, but they can't just give it to him.

        • Re:scholarship? (Score:5, Informative)

          by Anonymous Coward on Tuesday May 28, 2013 @10:38AM (#43841165)

          Actually, no, you can indeed enter into a contract with a minor. If you couldn't, I'd have my kid click through all those license agreements nobody reads.

          The minor can be held to a contract that they signed if the parent knew of the contract and demonstrated acceptance, generally by not protesting it. At least that is (generally) the law in the US.

        • Re:scholarship? (Score:5, Informative)

          by David_Hart ( 1184661 ) on Tuesday May 28, 2013 @10:44AM (#43841239)

          No, but generally speaking you cannot enter a contract with a minor, which is probably the legal issue. Age of majority is variable, but in California that is 18 ys old.

          They should find a way around it, but they can't just give it to him.

          I am not a lawyer, but my understanding is that simply paying someone a reward is not entering into a contract.

          If Paypal requires that the person who finds the bug enters into a non-disclosure and/or marketing agreement (i.e. to be able to publish their name as the bug finder) prior to receiving the reward then I would agree that this may be the issue. However, there are tons of child actors in Hollywood, so their must be a way that a minor can enter into an agreement. I'm guessing that it would require the legal guardian(s) signature.

          • Yea it's BS there are tons of ways around these things. Also, they can't pay him because he isn't an adult old enough to abide by their terms and conditions or whatever, doesn't that gut every EULA everywhere? "My 16 year old installed it."

        • Re:scholarship? (Score:5, Informative)

          by kencurry ( 471519 ) on Tuesday May 28, 2013 @10:49AM (#43841297)
          Seems like a BS excuse to me. Minors receive scholarship money; hell they even turn pro is some sports. When my daughter started college she was only 17, but she controlled her own accounts at the UC she was attending without needing me to sign for everything. Paypal could find a work around if they wanted to.
      • by hweimer ( 709734 )

        Give the fucking kid a scholarship to college...

        He's from Germany and therefore unlikely to face any tuition fees, so I doubt he'll need one.

  • by singingjim1 ( 1070652 ) on Tuesday May 28, 2013 @09:13AM (#43840131)
    That's a REALLY good way to generate positive publicity for your company - act like a douche.
    • by Mike Frett ( 2811077 ) on Tuesday May 28, 2013 @09:17AM (#43840191)

      Because the number of users whom don't care or didn't read this news is greater than the people that do. And they will continue to use the service no matter what.

      • Who says this is the only report there will be? This is a human interest story that could quite easily be picked up wider than just /.

        • by invid ( 163714 ) on Tuesday May 28, 2013 @10:18AM (#43840923)
          Only if it also involves a squirrel, a bikini model, and a trebuchet.
          • damn, was that part in the article? I barely read the summary, but if they are going to include that kind of excitement then it needs to be more obvious.

        • by faedle ( 114018 )

          PayPal's assholishness is the stuff of legend. PayPal's customer service nightmares alone have been covered by the major media plenty of times. And yet, people still choose to do business with them. Go figure.

          • by tlhIngan ( 30335 ) <slashdot&worf,net> on Tuesday May 28, 2013 @02:26PM (#43843629)

            PayPal's assholishness is the stuff of legend. PayPal's customer service nightmares alone have been covered by the major media plenty of times. And yet, people still choose to do business with them. Go figure.

            Because the alternatives are actually worse than paypal. A real merchant account is pretty damn abusive as well, and that's provided you qualify. If you sell trinkets irregularly over the Internet, you may not even qualify for a merchant account (they often have minimum transactions per month, or you pay a fee).

            Things like Square work if you have the card or can get someone to send you the card information (which I believe has to be manually entered and doesn't qualify for the low Square rate).

            The end result really is that if you want to accept a payment, Paypal is the only option for many. Well, you could save the 5% paypal fee and demand your customers get you a money order or something, but the inconvenience would generally put off many of your customers.

      • Somehow I dont think its users that will think twice about selling Paypal vuln to Russian mob instead of disclosing it through proper channels.

    • That's a REALLY good way to generate positive publicity for your company - act like a douche.

      Payouts from just about any 'contest' style arrangement to under-18s tend to be legally obnoxious; but Paypal are a bunch of legendary assholes(and not mentioning such a salient limitation is a total dick move), so I'm not inclined to give them the benefit of the doubt. I'm a bit surprised that they didn't just accuse him of hacking and then freeze and seize a few dozen random accounts...

      • They could have paid out to his parents too.

        • by fuzzyfuzzyfungus ( 1223518 ) on Tuesday May 28, 2013 @09:52AM (#43840583) Journal

          Oh, they could have done any number of things that aren't "be a total asshole".

          My point was merely that it is practically boilerplate for contests to have an "Applicants must be US residents 18 years or older" clause to keep legal complexity down, so that part of the story isn't too unexpected. It's just the not having that clause, and then springing it on him anyway, and not even trying to make amends in some other fashion, that is just classic Paypal... Merely forbidding under-18's, because they are a greater pain to deal with, is pretty normal.

          • by dgatwood ( 11270 )

            This is the point where Paypal learns the hard way that his parents did not consent to him accepting the terms of service where he agreed to mandatory binding arbitration.

      • by gnasher719 ( 869701 ) on Tuesday May 28, 2013 @10:19AM (#43840959)

        Payouts from just about any 'contest' style arrangement to under-18s tend to be legally obnoxious; but Paypal are a bunch of legendary assholes(and not mentioning such a salient limitation is a total dick move), so I'm not inclined to give them the benefit of the doubt. I'm a bit surprised that they didn't just accuse him of hacking and then freeze and seize a few dozen random accounts...

        What happens legally if you are 18 or over: You enter a contract with Paypal that allows them to make use of the bug information that you found and gave them, and in exchange they give you some money. What happens if you are under 18: The same, but as the kid under 18 you or your guardian can void the contract at any time, which would mean Paypal wouldn't have the right to use the information you gave them. Now consider what happens if they fixed a bug based on your information, shipped a product and suddenly they have no permission anymore to use the information. Ugly.

        • by IP_Troll ( 1097511 ) on Tuesday May 28, 2013 @10:55AM (#43841383)

          but as the kid under 18 you or your guardian can void the contract at any time, which would mean Paypal wouldn't have the right to use the information you gave them. Now consider what happens if they fixed a bug based on your information, shipped a product and suddenly they have no permission anymore to use the information. Ugly.

          If someone discovers a flaw in a system, you are not barred from ever fixing that flaw in the future. Whether or not the person that discovered the flaw is a minor is irrelevant.

          If they offer a potential code fix you can chose not to use their code and avoid all liability.

          You can try to fabricate a strawman argument to try to prove your point, but what you said is just plain wrong.

        • What happens legally if you are 18 or over: You enter a contract with Paypal that allows them to make use of the bug information that you found and gave them, and in exchange they give you some money. What happens if you are under 18: The same, but as the kid under 18 you or your guardian can void the contract at any time, which would mean Paypal wouldn't have the right to use the information you gave them.

          Kids write, record and perform songs all the time, the the record companies have found a way to hold them to contracts. Ditto for kids that appear in films. What does Nashville and Hollywood know that PayPal can't figure out?

    • Some companies don't care whether it's good publicity or bad publicity as long as it brings their name into the public eye.

    • Secret conditions (Score:5, Insightful)

      by Geoffrey.landis ( 926948 ) on Tuesday May 28, 2013 @09:58AM (#43840645) Homepage

      So, basically, they have secret conditions to their offer to pay for revealing of bugs, and they don't tell anybody what those secret conditions are.

      So, uh, why would anybody expect to be paid? What other secret conditions do they have, which they can reveal at any time and say "oh, so sorry, but one of our terms is that we don't pay under (xx) conditions."

      --I'm sorry, but we don't pay if you work for a competitor, or a company that we deem might be a competitor in the future
      --I'm sorry, but we don't pay if it's a vulnerability that can be traced to a flaw in an Adobe product, or in a commercial database program we may use that was purchased from an commercial source.
      --I'm sorry, but we don't pay if you're from a country that doesn't speak English.
      --I'm sorry, but we don't pay if the vulnerability is discovered by somebody from states with names beginning with a vowel.
      --I'm sorry, but we don't pay if the vulnerability is one that is only active on days of the week ending in "y".

      • I think PayPal assumed like many other companies that you have to be an adult to consent to things that involve money and contracts. Every contest for minors I've seen normally requires parental consent. The bounty program says this specifically:

        As between eBay Inc. and the Submitter, as a condition of participation in the PayPal Bug Bounty program, the Submitter grants eBay Inc., its affiliates and customers a perpetual, irrevocable, worldwide, royalty-free and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission for any purpose.

        There is no way, a minor could agree and consent to that. Now PayPal could revise its policies now and in the future, but there is a reason not to let minors in.

    • Re: (Score:2, Informative)

      by nospam007 ( 722110 ) *

      "That's a REALLY good way to generate positive publicity for your company - act like a douche."

      They are a bank and have to respect the law. No business with minors is one of them.
      Just as alcohol or cigarette vendors they just cannot do business with kids.

      • by pla ( 258480 ) on Tuesday May 28, 2013 @10:31AM (#43841099) Journal
        They are a bank and have to respect the law.

        They have fought tooth and nail - successfully - to remain very much not a bank. Banks have extensive regulations regarding when, how, and for how long they can lock you out of access to your own money, which runs contrary to Paypal's "when in doubt, just steal from our customers" business model.


        No business with minors is one of them.

        First of all, this kid already had a Paypal account. They never hesitated to take his money, and only mentioned this rule when it came time to pay some out.

        And second - Just "no". Doing business with kids imposes a small extra burden on the company to make sure the parents approve, or they risk having a reduced ability to pass the buck on any derived liability. A bit more stringent, we have COPPA adding a ton of privacy requirements for kids under 13, but that doesn't apply here (and even then doesn't make such accounts illegal, it just requires parental approval and blocks the company from tracking/selling certain information about the kids).
    • Hey genius, it's a federal law actually.
    • Nonsense. All publicity is good publicity. And think of all of the good publicity PayPal will receive in the future when the next time a bug like this is sold on the Russian bug exchange instead of sent directly to PayPal, resulting in thousands, possibly millions of dollars in losses.

    • I'm assuming there's no legal reason why one would need to be 18 to get paid for something like this? No child labor laws that apply in weird ways to where paypal would be classified as a sweatshop for one time giving money to someone who was 17? Just lawyers upholding the all holy all important important EULA at the expense of what's fair and what's good PR?
      • by vux984 ( 928602 )

        I'm assuming there's no legal reason why one would need to be 18 to get paid for something like this?

        Perhaps he needs to be able to enter into a contract? Non-disclosure agreement, etc.

        Perhaps he runs afoul of some law preventing children from entering contests... he's in Germany so I'm not aware of any in particular, but Maine for example, has the The Predatory Marketing against Minors Act, which has had the result of companies blocking anyone under the age of 18 from entering various contests because the

      • Sure there is, Paypal would not be able to take "ownership" of the find because a contract (reward) is excluded as a way to obtain the ownership in California, where 18 is the age of majority and being able to enter a contract.

  • The next bug.... (Score:5, Insightful)

    by Anonymous Coward on Tuesday May 28, 2013 @09:15AM (#43840149)

    So, the next time a 17yo finds a bug, they don't report it, the exploit it.

    Sounds like a plan.

    Paypal, perhaps all future underage rewards be in the form of scholarships?

  • by Anonymous Coward on Tuesday May 28, 2013 @09:15AM (#43840151)

    PayPal could have paid into his parent's account, and then froze it.

    • They could freeze it until he's 18.

      • by iggymanz ( 596061 ) on Tuesday May 28, 2013 @09:18AM (#43840197)

        or they could give it to his guardian or parents, or at least ask him to name a charity for it to be donated. In short, a dozen ways they could award the money if they weren't cheap-asses, and used their brain a little.

        • by mark-t ( 151149 )

          They could freeze it until he's 18

          This.

          or they could give it to his guardian or parents

          Or this.

          In fact, by expecting children to do something for free that adults would get paid to do, I'm wondering if it might even run afoul of child slavery laws.

  • by TWiTfan ( 2887093 ) on Tuesday May 28, 2013 @09:15AM (#43840153)

    I'm pretty sure most shareholders would rather you part with tiny sum of money that you owe this kid than to take the tsunami of bad PR and bad faith that would result in you being dicks about it.

    • by cdrudge ( 68377 )

      Shareholders don't give a crap. The number of people who won't use Paypal because of this isn't even a blip on their financial impact radar, causing even less of a blip on eBay's stock price.

  • Briliant. (Score:5, Insightful)

    by headhot ( 137860 ) on Tuesday May 28, 2013 @09:16AM (#43840171) Homepage

    Way to piss off the community you asked to hack your system. I'm sure this will go well.

  • by bengoerz ( 581218 ) on Tuesday May 28, 2013 @09:18AM (#43840199)
    If Paypal won't pay the kid for bugs in its system, I bet someone else will.
    • If Paypal won't pay the kid for bugs in its system, I bet someone else will.

      Seems to me that's the entire reason for having a bounty program in the first place.
      Then they dump it because the legal hassle of paying an under-age worker is too difficult.
      Way to strategize.

    • by bhlowe ( 1803290 )
      I bet this kid already has the money and an apology from PayPal. If not now, within the hour.
  • by Picass0 ( 147474 ) on Tuesday May 28, 2013 @09:20AM (#43840229) Homepage Journal
    "Here's a few bucks in a bank account for next year when you go to school!" Oh, no. They didn't think of that. Creeps.
    • Hell, they could have placed it in a paypal acount. "Here's a few bucks in a paypal account that you can use next year to buy hundreds of dollars of textbooks on half.com"
    • by JWW ( 79176 )

      Hell, they could just award the amount to him it the form of a scholarship.

      Most kids turn are 18 before starting college.

      Then it would be up to him to use the money or not by attending college.

      But Paypal would come out of it looking much much more reasonable.

  • Perverse incentive (Score:5, Insightful)

    by wanderfowl ( 2534492 ) on Tuesday May 28, 2013 @09:22AM (#43840241)

    "Remember kids: If you find a bug in Paypal's system, you'll get paid more for selling it to the black hats."

  • Sometimes it's hard not to think Dick had it right in Henry the Sixth.

  • Okay, so they have the rules. But seriously, they could still cut the kid a check as a "Hey cool, nice job kid."

  • by Marrow ( 195242 ) on Tuesday May 28, 2013 @09:33AM (#43840375)

    And hold the money for him until he is 18? And then give it to him. That would satisfy their policies wouldnt it?

  • You know? Like setting up some sort of thing that contributes to a school account or something? That's pretty damned low.

  • by dlb ( 17444 ) on Tuesday May 28, 2013 @09:47AM (#43840529)

    Welcome to the real world.

  • Too young for what ? (Score:5, Interesting)

    by Alain Williams ( 2972 ) <addw@phcomp.co.uk> on Tuesday May 28, 2013 @09:48AM (#43840543) Homepage

    If he is too young to receive money for finding a bug, is he also too young to be criminally prosecuted for exploiting a bug ?

  • I wonder when big companies will learn that douchery like this always comes back to bite. Are you unaware of the Internet? You can't get away with it!
  • For a few hundred bucks, the kid learned some valuable lessons that will last a lifetime. That's less than $1 per month.
    • Paypal will fuck you over
    • In fact, large corporations will
    • And so will anyone else
    • Learn to read the fine print
  • Where's the story? (Score:5, Informative)

    by pongo000 ( 97357 ) on Tuesday May 28, 2013 @09:53AM (#43840587)

    FTFA:

    PayPal requires that those reporting bugs have a verified PayPal account.

    The kid didn't have one. Claim denied. What's the story here? (The age thing? That's irrelevant...)

    • Shut uuuup. You're spoiling it.
    • Paaalease. A technicality of insignificance. Except to those trying to be asses.

    • Mod parent up.

      Facts speak louder than vociferous opinions.

    • LOL wow this sums up Slashdot perfectly. A whole ton of posters railing against this silly corporate legalese of Paypal, and the one guy who reads the article smacks it all down with one sentence!

    • by Animats ( 122034 ) on Tuesday May 28, 2013 @11:42AM (#43841953) Homepage

      The rules say that "Payment is paid out through a verified PayPal account, once the bug is fixed." It's not required to have a PayPal account to win. That's just the payment mechanism eBay prefers. Once someone has won, PayPal owes them money. PayPal is a debtor here.

      Debtors do not. in general, get to require that their creditor jump through hoops to get paid. Whether eBay is entitled to require payment via their own system is a legal issue which eBay would probably lose. Any collection lawyer or collection agency should be able to take this case and win.

      On top of that, this is a "contest", and in the US, contests are regulated by the FTC's Contest Rule [ftc.gov]. Federal law limits what a contest operator can require after they've told someone they've "won".

  • by rs1n ( 1867908 ) on Tuesday May 28, 2013 @09:53AM (#43840589)
    Paypal is really stupid -- I would not be surprised if this actually results in the guy finding more bugs and simply just releasing the information without giving Paypal any heads up about it.
  • Normal US procedures (Score:3, Interesting)

    by Sarten-X ( 1102295 ) on Tuesday May 28, 2013 @09:53AM (#43840593) Homepage

    Welcome, Mr. Kugler, to the good ol' US-of-A, where you aren't a real person until you can cast a ballot. If you get a job, you must follow a different set of rules. If you break a law, you get a different justice system. If you win a contest, you have a different set of rules that forbid you from winning anything. That's right, in several states you can't actually own property until you're 18. I'm not sure what jurisdiction PayPal/eBay is playing ball in, but in general, don't expect the government to ever side with anyone who hasn't reached that magical moment where they are instantly freed from their childhood stupidity.

    You see, despite biology saying that humans are mature at around 15 years, the Puritans who founded the United States were rather squeamish about things like youthful ambition, political activism, and worst of all, sex. The generally-accepted age of maturity moved back several years, finally settling at 18, and it's been stuck there. Of course, anyone under 18 who wants to have their full rights doesn't have the right to get them (except through a red-tape-filled emancipation process), and no parents ever want their darling little children to grow up so fast, and no politician would dare propose an affront to "traditional family values", so there are no realistic attempts to get more legal power for minors.

    A few states allow certain adult rights to 16- and 17-year-olds, but those rights are usually restricted to things like "can work on a farm" and "can be prosecuted as an adult for heinous crimes". Practically all other rights are the domain of the parents, so there's a slim chance that your parents could ask for the reward as promised, but that's unlikely to work, because they didn't find the bug.

    Welcome, sir, to America, where our child abuse is civilized!

    • Hold on friend. A 15 yo may look like an adult but they do not think as adults yet. Adolescents do not possess the ability to accurately evaluate the future consequences of their actions. They slowly develop this ability over time. I'm still developing that ability myself, or at least I hope I am.

      This speaks directly to the situation at hand as apparently Paypal wants the "winners" to enter into some type of enforceable contractual agreement. Never mind that knowing Paypal, that contractual agreement
  • Depending on the amount and the state of residence this may be a small claims court case, in which case it would be a slam dunk - and if you do have to go to real court, get the EFF to provide council - thats why they exist...

  • When he turns 18, he should resubmit the bug for reward, and he should get the reward as he is demonstrably the first person who found it.

  • by FellowConspirator ( 882908 ) on Tuesday May 28, 2013 @10:35AM (#43841135)

    That's a foolish thing to do. Now that kid won't report the second bug he found and may just publish it in some innocuous place where it will get picked up by a ne'erdowell and be exploited - something that will no doubt cost more than if PayPal had just done right by the kids in the first place.

  • When you're the only game in town you get to make all the rules.

  • by dpbsmith ( 263124 ) on Tuesday May 28, 2013 @12:13PM (#43842343) Homepage

    PayPal is a subsidiary of eBay. The CEO's name is John Donahue. I've written to him. If anyone else wants to:

    John Donahue
    CEO, eBay
    2055 Hamilton Ave
    San Jose, CA 95125

    It's my belief that as of 2013, a personal letter, written in ink on physical paper in an envelope with a stamp, sent by USPS, has more impact than e-communication or online petitions.

  • The next time a teenager finds an exploit in PayPal, what are the odds they're going to report it, and not exploit it? After this dick move, the report odds go down and the exploit odds go up. Stupid, stupid, stupid.
  • by g0bshiTe ( 596213 ) on Tuesday May 28, 2013 @01:28PM (#43843121)
    There's others out there that will. And generally they are the ones looking to exploit those bugs. Factor that in next time PayPal.

You are always doing something marginal when the boss drops by your desk.

Working...