PayPal Denies Teen Reward For Finding Bug 318
itwbennett writes "You have to be 18 to qualify for PayPal's bug bounty program, a minor detail that 17-year old Robert Kugler found out the hard way after being denied a reward for a website bug he reported. Curiously, the age guideline isn't in the terms and conditions posted on the PayPal website. Kugler was informed by email that he was disqualified because of his age."
Paypal suck. (Score:5, Insightful)
^ That's all.
Re:Paypal suck.CROOKS (Score:3, Insightful)
They're crooks.
Re:Paypal suck. (Score:5, Informative)
At least provide the link [paypalsucks.com].
Re:Paypal suck. (Score:4)
That site has been around forever and a day it seems. There are a number of people who have been screwed over by the company. I wouldn't have any sympathy for those people getting screwed except that some of them appear to (and have provided documentation that appears to be proof) be following all the various rules that PayPal has and yet they're still getting screwed over.
One of the biggest and most common problems I see are the jackasses that reverse the charges because they claim they never got the product. Some of them have been so egregious that they claim the product was not new even though the ad provided by the seller clearly indicated that the product was in used condition. Yet PayPal still found in favor of the buyer and forced the refund. They've locked entire accounts worth thousands of dollars at their whim.
I'm beginning to think that if they want to act like a bank that they need to be regulated as a bank but we've all seen how poorly bank regulation is and how ineffective the government's monitoring of banks is so I'm not sure how much of an actual benefit that would be.
In this case it seems to me that PayPal could easily work with the teen and find an adult who could be awarded the reward on the teens behalf. But, well, why do that when they can simply refer to the rules and save the reward money? Assholes... A part of me wants to say that it is the teens fault for not being aware of the rules or for thinking that the rules don't apply to them. Indeed that would normally have been my attitude. However, this is PayPal and, due to that fact alone, means that I'm not inclined to reward PayPal with good-will thinking or benefit of the doubt thinking.
Re: (Score:3)
Reading the article is against the rules. I'll be damned if I'm going to be known as a rule violator.
Though, well, it doesn't really surprise me that they'd make up an age restriction rule without having mentioned it in the contest. Given that it is PayPal I'm not only not surprised that they didn't mention it, I'd actually be surprised if it DID mention all of the rules. If they mention all of the rules then they may actually have to pay out. We can't have that now can we? Greed isn't just a motto, it's a
scholarship? (Score:5, Insightful)
Give the fucking kid a scholarship to college...or a paid internship at Paypal. Is it not possible for anyone to do any serious work until they are 18 yrs? wtf
Re:scholarship? (Score:5, Insightful)
Re:scholarship? (Score:5, Insightful)
It's not just the security aspect - presumably PayPal is also doing this whole exercise to better their reputation in general. How's that working out?
Re:scholarship? (Score:5, Insightful)
Seriously, paypal done fucked up once more.
They did a great job teaching this kid "I could sell it to paypal for zero dollars, or I can auction it on this underground forum starting at $5000"
The only thing the kid even asked paypal for was a written statement of the accomplishment to put on his resume, and they won't even send that!
Even Microsoft lists him as a security researcher for the updates they have pushed fixing bugs this kid has found and reported to them!
The worst part is, paypal has also just taught these facts to everyone else who happens to know of an exploit in their system, or ever finds one in the future.
Smart move paypal *golf clap* smart move
Re:scholarship? (Score:4, Informative)
No, but generally speaking you cannot enter a contract with a minor, which is probably the legal issue. Age of majority is variable, but in California that is 18 ys old.
They should find a way around it, but they can't just give it to him.
Re:scholarship? (Score:5, Informative)
Actually, no, you can indeed enter into a contract with a minor. If you couldn't, I'd have my kid click through all those license agreements nobody reads.
The minor can be held to a contract that they signed if the parent knew of the contract and demonstrated acceptance, generally by not protesting it. At least that is (generally) the law in the US.
Re:scholarship? (Score:5, Informative)
No, but generally speaking you cannot enter a contract with a minor, which is probably the legal issue. Age of majority is variable, but in California that is 18 ys old.
They should find a way around it, but they can't just give it to him.
I am not a lawyer, but my understanding is that simply paying someone a reward is not entering into a contract.
If Paypal requires that the person who finds the bug enters into a non-disclosure and/or marketing agreement (i.e. to be able to publish their name as the bug finder) prior to receiving the reward then I would agree that this may be the issue. However, there are tons of child actors in Hollywood, so their must be a way that a minor can enter into an agreement. I'm guessing that it would require the legal guardian(s) signature.
Re: (Score:3)
Yea it's BS there are tons of ways around these things. Also, they can't pay him because he isn't an adult old enough to abide by their terms and conditions or whatever, doesn't that gut every EULA everywhere? "My 16 year old installed it."
Re:scholarship? (Score:5, Informative)
Re: (Score:3)
Give the fucking kid a scholarship to college...
He's from Germany and therefore unlikely to face any tuition fees, so I doubt he'll need one.
Why don't businesses get it? (Score:5, Insightful)
Re:Why don't businesses get it? (Score:5, Insightful)
Because the number of users whom don't care or didn't read this news is greater than the people that do. And they will continue to use the service no matter what.
Re: (Score:3)
Who says this is the only report there will be? This is a human interest story that could quite easily be picked up wider than just /.
Re:Why don't businesses get it? (Score:4, Funny)
Re: (Score:2)
damn, was that part in the article? I barely read the summary, but if they are going to include that kind of excitement then it needs to be more obvious.
Re: (Score:2)
The squirrel pulled the release on the trebuchet when the bikini model sat in the launch chair.
Re: (Score:3)
PayPal's assholishness is the stuff of legend. PayPal's customer service nightmares alone have been covered by the major media plenty of times. And yet, people still choose to do business with them. Go figure.
Re:Why don't businesses get it? (Score:4, Insightful)
Because the alternatives are actually worse than paypal. A real merchant account is pretty damn abusive as well, and that's provided you qualify. If you sell trinkets irregularly over the Internet, you may not even qualify for a merchant account (they often have minimum transactions per month, or you pay a fee).
Things like Square work if you have the card or can get someone to send you the card information (which I believe has to be manually entered and doesn't qualify for the low Square rate).
The end result really is that if you want to accept a payment, Paypal is the only option for many. Well, you could save the 5% paypal fee and demand your customers get you a money order or something, but the inconvenience would generally put off many of your customers.
Re: (Score:2)
Somehow I dont think its users that will think twice about selling Paypal vuln to Russian mob instead of disclosing it through proper channels.
Re: (Score:2)
Not even clone?
Re: (Score:2)
What are you trying to say?
Re: (Score:3, Insightful)
No, it isn't obsolete and does matter. Try to get a book published if you're ignorant of grammar. Now, in a forum like this? If you're going to use "whom" you'd better be damned sure you're using it correctly or you'll look both pretentious and ignorant at the same time. Faux intellectuals are annoying. If you don't know when to use "whom" and when to use "who", just don't use "whom" at all. But don't expect anyone to believe you're ever stepped foot in a community college, let alone a university.
Leave "who
Re: (Score:3)
It's not obsolete, it's just not necessary in many cases. But, if you're using it as the object of the preposition there's really no excuse not to use it. And sentences like "who hit who" are better when phrased as "who hit whom." The former requires more thinking than the latter.
Just because most people don't bother, doesn't mean that it's not worth the time. Granted, if you're using more complex sentences it can be ridiculous to diagram them in your head, but for more simple sentences it's not that hard.
Re: (Score:2)
as a person whom recently saw an SNL rerun, I read your entire bit about "cork sniffers" and was rotflmao.
cork soaking at it's best!
Re: (Score:2)
... no true nerd should ever fall prey to.
... to whom no true nerd should ever fall prey.
Just sayin'.
Re: (Score:2)
... no true nerd should ever fall prey to.
... to which no true nerd should ever fall prey.
Just sayin'.
Oh crap.
Re: (Score:3)
Err... *yes it it*. It's *communication*. Ie it's a passing of information from one person to another, so both people need to understand and agree on the meaning of the words used! (ok, so this particular case the words who and whom are similar enough to be guessed, but if they were very different and the other person didn't understand the obscure & pointless word you used, it's your fault for using it)
What a sad world it would be if language were solely about communicating clear, distinct meanings.
Re: (Score:3)
Probably, but your first instance of "in" was certainly redundant! ;)
Re: (Score:2)
That's a REALLY good way to generate positive publicity for your company - act like a douche.
Payouts from just about any 'contest' style arrangement to under-18s tend to be legally obnoxious; but Paypal are a bunch of legendary assholes(and not mentioning such a salient limitation is a total dick move), so I'm not inclined to give them the benefit of the doubt. I'm a bit surprised that they didn't just accuse him of hacking and then freeze and seize a few dozen random accounts...
Re: (Score:2)
They could have paid out to his parents too.
Re:Why don't businesses get it? (Score:5, Insightful)
Oh, they could have done any number of things that aren't "be a total asshole".
My point was merely that it is practically boilerplate for contests to have an "Applicants must be US residents 18 years or older" clause to keep legal complexity down, so that part of the story isn't too unexpected. It's just the not having that clause, and then springing it on him anyway, and not even trying to make amends in some other fashion, that is just classic Paypal... Merely forbidding under-18's, because they are a greater pain to deal with, is pretty normal.
Re: (Score:3)
This is the point where Paypal learns the hard way that his parents did not consent to him accepting the terms of service where he agreed to mandatory binding arbitration.
Re:Why don't businesses get it? (Score:4, Informative)
Payouts from just about any 'contest' style arrangement to under-18s tend to be legally obnoxious; but Paypal are a bunch of legendary assholes(and not mentioning such a salient limitation is a total dick move), so I'm not inclined to give them the benefit of the doubt. I'm a bit surprised that they didn't just accuse him of hacking and then freeze and seize a few dozen random accounts...
What happens legally if you are 18 or over: You enter a contract with Paypal that allows them to make use of the bug information that you found and gave them, and in exchange they give you some money. What happens if you are under 18: The same, but as the kid under 18 you or your guardian can void the contract at any time, which would mean Paypal wouldn't have the right to use the information you gave them. Now consider what happens if they fixed a bug based on your information, shipped a product and suddenly they have no permission anymore to use the information. Ugly.
Re:Why don't businesses get it? (Score:5, Insightful)
but as the kid under 18 you or your guardian can void the contract at any time, which would mean Paypal wouldn't have the right to use the information you gave them. Now consider what happens if they fixed a bug based on your information, shipped a product and suddenly they have no permission anymore to use the information. Ugly.
If someone discovers a flaw in a system, you are not barred from ever fixing that flaw in the future. Whether or not the person that discovered the flaw is a minor is irrelevant.
If they offer a potential code fix you can chose not to use their code and avoid all liability.
You can try to fabricate a strawman argument to try to prove your point, but what you said is just plain wrong.
Re: (Score:3)
What happens legally if you are 18 or over: You enter a contract with Paypal that allows them to make use of the bug information that you found and gave them, and in exchange they give you some money. What happens if you are under 18: The same, but as the kid under 18 you or your guardian can void the contract at any time, which would mean Paypal wouldn't have the right to use the information you gave them.
Kids write, record and perform songs all the time, the the record companies have found a way to hold them to contracts. Ditto for kids that appear in films. What does Nashville and Hollywood know that PayPal can't figure out?
Re: (Score:2)
Some companies don't care whether it's good publicity or bad publicity as long as it brings their name into the public eye.
Secret conditions (Score:5, Insightful)
So, basically, they have secret conditions to their offer to pay for revealing of bugs, and they don't tell anybody what those secret conditions are.
So, uh, why would anybody expect to be paid? What other secret conditions do they have, which they can reveal at any time and say "oh, so sorry, but one of our terms is that we don't pay under (xx) conditions."
--I'm sorry, but we don't pay if you work for a competitor, or a company that we deem might be a competitor in the future
--I'm sorry, but we don't pay if it's a vulnerability that can be traced to a flaw in an Adobe product, or in a commercial database program we may use that was purchased from an commercial source.
--I'm sorry, but we don't pay if you're from a country that doesn't speak English.
--I'm sorry, but we don't pay if the vulnerability is discovered by somebody from states with names beginning with a vowel.
--I'm sorry, but we don't pay if the vulnerability is one that is only active on days of the week ending in "y".
Re: (Score:3)
I think PayPal assumed like many other companies that you have to be an adult to consent to things that involve money and contracts. Every contest for minors I've seen normally requires parental consent. The bounty program says this specifically:
As between eBay Inc. and the Submitter, as a condition of participation in the PayPal Bug Bounty program, the Submitter grants eBay Inc., its affiliates and customers a perpetual, irrevocable, worldwide, royalty-free and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission for any purpose.
There is no way, a minor could agree and consent to that. Now PayPal could revise its policies now and in the future, but there is a reason not to let minors in.
Re: (Score:2, Informative)
"That's a REALLY good way to generate positive publicity for your company - act like a douche."
They are a bank and have to respect the law. No business with minors is one of them.
Just as alcohol or cigarette vendors they just cannot do business with kids.
Re:Why don't businesses get it? (Score:5, Insightful)
They have fought tooth and nail - successfully - to remain very much not a bank. Banks have extensive regulations regarding when, how, and for how long they can lock you out of access to your own money, which runs contrary to Paypal's "when in doubt, just steal from our customers" business model.
No business with minors is one of them.
First of all, this kid already had a Paypal account. They never hesitated to take his money, and only mentioned this rule when it came time to pay some out.
And second - Just "no". Doing business with kids imposes a small extra burden on the company to make sure the parents approve, or they risk having a reduced ability to pass the buck on any derived liability. A bit more stringent, we have COPPA adding a ton of privacy requirements for kids under 13, but that doesn't apply here (and even then doesn't make such accounts illegal, it just requires parental approval and blocks the company from tracking/selling certain information about the kids).
Re: (Score:3)
Re: (Score:2)
Nonsense. All publicity is good publicity. And think of all of the good publicity PayPal will receive in the future when the next time a bug like this is sold on the Russian bug exchange instead of sent directly to PayPal, resulting in thousands, possibly millions of dollars in losses.
Re: (Score:2)
Re: (Score:3)
I'm assuming there's no legal reason why one would need to be 18 to get paid for something like this?
Perhaps he needs to be able to enter into a contract? Non-disclosure agreement, etc.
Perhaps he runs afoul of some law preventing children from entering contests... he's in Germany so I'm not aware of any in particular, but Maine for example, has the The Predatory Marketing against Minors Act, which has had the result of companies blocking anyone under the age of 18 from entering various contests because the
Re: (Score:2)
Re: (Score:2)
Sure there is, Paypal would not be able to take "ownership" of the find because a contract (reward) is excluded as a way to obtain the ownership in California, where 18 is the age of majority and being able to enter a contract.
Re: (Score:2)
The next bug.... (Score:5, Insightful)
So, the next time a 17yo finds a bug, they don't report it, the exploit it.
Sounds like a plan.
Paypal, perhaps all future underage rewards be in the form of scholarships?
Re:The next bug.... (Score:4, Insightful)
If I was him, next time I'd setup a system where people could donate bitcoins. Once the total reached the target amount the exploit gets released with the largest donator getting to choose who it gets released to.
I could be worse. (Score:5, Funny)
PayPal could have paid into his parent's account, and then froze it.
Re: (Score:2)
They could freeze it until he's 18.
Re:I could be worse. (Score:5, Insightful)
or they could give it to his guardian or parents, or at least ask him to name a charity for it to be donated. In short, a dozen ways they could award the money if they weren't cheap-asses, and used their brain a little.
Re: (Score:2)
This.
Or this.
In fact, by expecting children to do something for free that adults would get paid to do, I'm wondering if it might even run afoul of child slavery laws.
Just give the kid his money (Score:5, Insightful)
I'm pretty sure most shareholders would rather you part with tiny sum of money that you owe this kid than to take the tsunami of bad PR and bad faith that would result in you being dicks about it.
Re: (Score:3)
Shareholders don't give a crap. The number of people who won't use Paypal because of this isn't even a blip on their financial impact radar, causing even less of a blip on eBay's stock price.
Briliant. (Score:5, Insightful)
Way to piss off the community you asked to hack your system. I'm sure this will go well.
Re: (Score:2)
Let this be a Lesson (Score:5, Insightful)
Re: (Score:3)
If Paypal won't pay the kid for bugs in its system, I bet someone else will.
Seems to me that's the entire reason for having a bounty program in the first place.
Then they dump it because the legal hassle of paying an under-age worker is too difficult.
Way to strategize.
Re: (Score:2)
They could have placed it in a college scholarship (Score:5, Insightful)
Re: (Score:2)
Re:They could have placed it in a college scholars (Score:4, Insightful)
Re: (Score:2)
True... but equivalently, a smart person has no statistically valid reason to actually *expect* it to happen to them, personally, at any given time, simply because they happen to have an account with paypal.
I'm not suggesting that it's a reason to trust them implicitly, I'm only suggesting that overemphasizing the importance of outlying cases to the point that one thinks they should expect such incidents as a matter of regular order of business is not valid.
Re: (Score:2)
Hell, they could just award the amount to him it the form of a scholarship.
Most kids turn are 18 before starting college.
Then it would be up to him to use the money or not by attending college.
But Paypal would come out of it looking much much more reasonable.
Perverse incentive (Score:5, Insightful)
"Remember kids: If you find a bug in Paypal's system, you'll get paid more for selling it to the black hats."
Lunacy only PayPal Lawyers could Love (Score:2)
Sometimes it's hard not to think Dick had it right in Henry the Sixth.
Lame... (Score:2)
Okay, so they have the rules. But seriously, they could still cut the kid a check as a "Hey cool, nice job kid."
So they are going to do the right thing right? (Score:4, Insightful)
And hold the money for him until he is 18? And then give it to him. That would satisfy their policies wouldnt it?
They could have been bigger about this (Score:2)
You know? Like setting up some sort of thing that contributes to a school account or something? That's pretty damned low.
Dear Kid, (Score:3)
Welcome to the real world.
Too young for what ? (Score:5, Interesting)
If he is too young to receive money for finding a bug, is he also too young to be criminally prosecuted for exploiting a bug ?
Re: (Score:3)
If he is too young to receive money for finding a bug, is he also too young to be criminally prosecuted for exploiting a bug ?
No, he's too young to enter into a contract to receive money for finding a bug.
Don't like it, change US contract law.
So you wouldn't pay the kid that found your lost dog the reward you promised?
This has nothing to do with contract law. Paypal could pay him any number of ways (ie via the parents or when he turns 18).
They never learn (Score:2)
Paypal did him a favor (Score:2)
Where's the story? (Score:5, Informative)
FTFA:
PayPal requires that those reporting bugs have a verified PayPal account.
The kid didn't have one. Claim denied. What's the story here? (The age thing? That's irrelevant...)
Re: (Score:3)
Re: (Score:2)
Paaalease. A technicality of insignificance. Except to those trying to be asses.
Re: (Score:2)
Facts speak louder than vociferous opinions.
Re: (Score:3)
LOL wow this sums up Slashdot perfectly. A whole ton of posters railing against this silly corporate legalese of Paypal, and the one guy who reads the article smacks it all down with one sentence!
Debtor cannot dictate form of payment (Score:5, Interesting)
The rules say that "Payment is paid out through a verified PayPal account, once the bug is fixed." It's not required to have a PayPal account to win. That's just the payment mechanism eBay prefers. Once someone has won, PayPal owes them money. PayPal is a debtor here.
Debtors do not. in general, get to require that their creditor jump through hoops to get paid. Whether eBay is entitled to require payment via their own system is a legal issue which eBay would probably lose. Any collection lawyer or collection agency should be able to take this case and win.
On top of that, this is a "contest", and in the US, contests are regulated by the FTC's Contest Rule [ftc.gov]. Federal law limits what a contest operator can require after they've told someone they've "won".
How to turn a white hat against you (Score:3)
Normal US procedures (Score:3, Interesting)
Welcome, Mr. Kugler, to the good ol' US-of-A, where you aren't a real person until you can cast a ballot. If you get a job, you must follow a different set of rules. If you break a law, you get a different justice system. If you win a contest, you have a different set of rules that forbid you from winning anything. That's right, in several states you can't actually own property until you're 18. I'm not sure what jurisdiction PayPal/eBay is playing ball in, but in general, don't expect the government to ever side with anyone who hasn't reached that magical moment where they are instantly freed from their childhood stupidity.
You see, despite biology saying that humans are mature at around 15 years, the Puritans who founded the United States were rather squeamish about things like youthful ambition, political activism, and worst of all, sex. The generally-accepted age of maturity moved back several years, finally settling at 18, and it's been stuck there. Of course, anyone under 18 who wants to have their full rights doesn't have the right to get them (except through a red-tape-filled emancipation process), and no parents ever want their darling little children to grow up so fast, and no politician would dare propose an affront to "traditional family values", so there are no realistic attempts to get more legal power for minors.
A few states allow certain adult rights to 16- and 17-year-olds, but those rights are usually restricted to things like "can work on a farm" and "can be prosecuted as an adult for heinous crimes". Practically all other rights are the domain of the parents, so there's a slim chance that your parents could ask for the reward as promised, but that's unlikely to work, because they didn't find the bug.
Welcome, sir, to America, where our child abuse is civilized!
mature at around 15 (Score:2)
This speaks directly to the situation at hand as apparently Paypal wants the "winners" to enter into some type of enforceable contractual agreement. Never mind that knowing Paypal, that contractual agreement
Sue them... (Score:2)
Depending on the amount and the state of residence this may be a small claims court case, in which case it would be a slam dunk - and if you do have to go to real court, get the EFF to provide council - thats why they exist...
Solution (Score:2)
When he turns 18, he should resubmit the bug for reward, and he should get the reward as he is demonstrably the first person who found it.
The next bug will cost more. (Score:3)
That's a foolish thing to do. Now that kid won't report the second bug he found and may just publish it in some innocuous place where it will get picked up by a ne'erdowell and be exploited - something that will no doubt cost more than if PayPal had just done right by the kids in the first place.
Only game in town (Score:2)
When you're the only game in town you get to make all the rules.
Name, address of eBay CEO (Score:3)
PayPal is a subsidiary of eBay. The CEO's name is John Donahue. I've written to him. If anyone else wants to:
John Donahue
CEO, eBay
2055 Hamilton Ave
San Jose, CA 95125
It's my belief that as of 2013, a personal letter, written in ink on physical paper in an envelope with a stamp, sent by USPS, has more impact than e-communication or online petitions.
This is a stupid move. (Score:3)
If they won't pay because of his age (Score:3)
Re: (Score:2)
Re: (Score:2)
Yeah hopefully he can get a nice job from the publicity. If it was a 5-digit prize that could be a life-changing amount of money for a Gen. Y'er.
Re: (Score:2)
Fuck the scholarship - Why should the kid be forced to spend that rewarrd cash on education? Hell, a kid with skills like that can get a great job without college more than likely!
Re: (Score:2)
What's the purpose of this 'over 18' rule anyway?.
Taxes, unfortunately.