Paypal For Security Researchers

[jaap1123]

For Customers: Reporting Suspicious Emails


Customers who think they have received a Phishing email, please learn more about phishing at https://cms.paypal.com/us/cgi-bin/market...ity_topics, or forward it to: spoof@paypal.com

For Customers: Reporting All Other Concerns


Customers who have issues with their PayPal Account, please visit: https://www.paypal.com/cgi-bin/helpscr?c...scalateTab

For Professional Researchers: Bug Bounty Program


If you are a security researcher, and you've discovered a site or product vulnerability, please forward your details to us at sitesecurity@paypal.com.

Click here to get our PGP public key: https://www.paypal.com/en_US/html/SecurityCenter/PayPalSiteSecurity.txt


Our team of dedicated security professionals work vigilantly to keep customer information secure. We recognize the important role that security researchers and our user community play in keeping PayPal and our customers secure. If you discover a site or product vulnerability please notify us using the guidelines below.

To encourage responsible disclosure, we commit that – if we conclude that a disclosure respects and meets all the guidelines outlined below - we will not bring a private action or refer a matter for public inquiry.

PayPal security team will determine the bounty amount and all decisions are final.

Bounty is awarded to the first person that discovers the previously unknown bug.

The bug bounty program is subject to change or to cancellation at any point without notice.

Bug bounty is valid for the following site: http://www.paypal.com.

Payment is paid out through a verified PayPal account, once the bug is fixed.

For all submissions, do not send us personal information in your report and please use our PGP key to encrypt your email.

Individuals from sanctioned countries are not allowed to participate in this program.

eBay Inc. employees, contractors and their immediate relatives are not allowed to participate in the program.

Vulnerabilities that are in scope:

• XSS
• CSRF/XSRF
• SQLi
• Authentication bypass

Note: While "Logout CSRF" is a well-acknowledged issue, there are other techniques (http://scarybeastsecurity.blogspot.com/2...p-bug.html) like "cookie forcing" and "cookie bombardment" that can make it futile to defend against this attack. Also, our web sessions are relatively short lived and hence the Bug Bounty panel will not consider reports of the ability to log out users from PayPal as qualifying for the reward.

In your bug submission email, please include the following:

• Your email address
• Your PayPal account (in order to receive the bounty)
• Vulnerability type (i.e., XSS, CSRF, SQLi, etc.)
• Vulnerability Scope: Domain(s), URL(s) and Parameter(s) impacted
• Steps to reproduce bug

Guidelines for responsible disclosure

• Share the security issue with us before making it public on message boards, mailing lists, and other forums.
• Allow us reasonable time to respond to the issue before disclosing it publicly.
• Provide full details of the security issue.

Terms for participation

• As between eBay Inc. and the Submitter, as a condition of participation in the PayPal Bug Bounty program, the Submitter grants eBay Inc., its affiliates and customers a perpetual, irrevocable, worldwide, royalty-free and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission for any purpose. Submitter represents and warrants that the Submission is original to the Submitter and Submitter owns all rights, title and interest in and to the Submission. Submitter waives all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure of the Submission to eBay. In no event shall eBay be precluded from discussing, reviewing, developing for itself, having developed, or developing for third parties, materials which are competitive with those set forth in the Submission irrespective of their similarity to the information in the Proposal, so long as eBay complies with the terms of participation stated herein.

Do not engage in security research that involves
Potential or actual denial of service of PayPal applications and systems. [*]Use of an exploit to view another user's data without their authorization, or to corrupt data.

Source