Great news! A few months ago I submitted a Cross-Site Scripting Vulnerability to the official Bug Bounty program of PayPal:
It was accepted, fixed, and fully paid out, and I was very excited about the nice bounty :-). Additionally this has been my first participation in an official bug bounty program – and quite a great experience. Racing for bugs is fun – especially when beating the big players! Ok, now the facts: The vulnerability has been taken seriously by the security team and they have taken some time to fix the issue carefully, which is acceptable if you have a complex site like this one. Therefore, I’m still wondering about one very frustrating thing: the communication process. It sometimes took days to weeks to get an answer from the security team, and some of my messages are still unanswered today 🙁 I hope PayPal will improve this in the future!
Anyways. These bug bounty programs are a great way to secure websites and applications, which makes the product even stronger. Why just take the help of ONE pentesting consultant if you can have a lot of eyes testing your system for good…and reward the researchers with attractive bounties?
Google is the perfect example (again) (yes, I like them), they pay out every high and critical vulnerability in Chrome and even smaller vulnerabilities on their websites. You find e.g. SQL-Injection on one of their flagship websites – they’ll pay you around 20.000$, you find a way to exploit their Chrome using a very complex method – they’ll pay you even more, or probably offer you a job ;-). Other vendors like Facebook, Mozilla, or Github go this way, too, and this seems to work quite smoothly. Why is Google’s Chrome considered to be the safest browser on earth? And why is the Internet Explorer the worst? There should be more of such bug bounties!