Paypal For Security Researchers
|
06-26-2012, 01:13 AM
Post: #1
|
|||
|
|||
Paypal For Security Researchers
For Customers: Reporting Suspicious Emails
Customers who think they have received a Phishing email, please learn more about phishing at https://cms.paypal.com/us/cgi-bin/market...ity_topics, or forward it to: spoof@paypal.com For Customers: Reporting All Other Concerns Customers who have issues with their PayPal Account, please visit: https://www.paypal.com/cgi-bin/helpscr?c...scalateTab For Professional Researchers: Bug Bounty Program If you are a security researcher, and you've discovered a site or product vulnerability, please forward your details to us at sitesecurity@paypal.com. Click here to get our PGP public key: https://www.paypal.com/en_US/html/SecurityCenter/PayPalSiteSecurity.txt Our team of dedicated security professionals work vigilantly to keep customer information secure. We recognize the important role that security researchers and our user community play in keeping PayPal and our customers secure. If you discover a site or product vulnerability please notify us using the guidelines below. To encourage responsible disclosure, we commit that – if we conclude that a disclosure respects and meets all the guidelines outlined below - we will not bring a private action or refer a matter for public inquiry. PayPal security team will determine the bounty amount and all decisions are final. Bounty is awarded to the first person that discovers the previously unknown bug. The bug bounty program is subject to change or to cancellation at any point without notice. Bug bounty is valid for the following site: http://www.paypal.com. Payment is paid out through a verified PayPal account, once the bug is fixed. For all submissions, do not send us personal information in your report and please use our PGP key to encrypt your email. Individuals from sanctioned countries are not allowed to participate in this program. eBay Inc. employees, contractors and their immediate relatives are not allowed to participate in the program. Vulnerabilities that are in scope:
Note: While "Logout CSRF" is a well-acknowledged issue, there are other techniques (http://scarybeastsecurity.blogspot.com/2...p-bug.html) like "cookie forcing" and "cookie bombardment" that can make it futile to defend against this attack. Also, our web sessions are relatively short lived and hence the Bug Bounty panel will not consider reports of the ability to log out users from PayPal as qualifying for the reward. In your bug submission email, please include the following:
Guidelines for responsible disclosure
Terms for participation
Do not engage in security research that involves Potential or actual denial of service of PayPal applications and systems. [*]Use of an exploit to view another user's data without their authorization, or to corrupt data. Source |
|||
« Next Oldest | Next Newest »
|
Messages In This Thread |
Paypal For Security Researchers - jaap1123 - 06-26-2012 01:13 AM
|
User(s) browsing this thread: 1 Guest(s)