Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

PayPal Reviewing Qualifying Age For Vulnerability Rewards

Unknown Lamer posted about a year ago | from the break-it-before-you-can-use-it dept.

Bug 95

itwbennett writes "In follow-up to 17-year old Robert Kugler's claim that PayPal denied him a bug bounty because he was under 18, the company now says that it is 'investigating whether it can lower the qualifying age for vulnerability rewards for those who responsibly report security problems.' The company also said that the vulnerability had already been reported by another researcher — although they didn't mention that in the email to Kugler telling him he wouldn't be receiving payment."

cancel ×

95 comments

Award scholarships for under-aged people (2)

WillAdams (45638) | about a year ago | (#43850921)

That should sidestep all the legal complications.

Re:Award scholarships for under-aged people (-1, Redundant)

Archangel Michael (180766) | about a year ago | (#43851121)

"Legal Complications"

If there is legal reasons to not award people under the age of 17 with rewards and such for doing good, then the law is wrong. But then again, this is the "nanny state" where we write laws to protect people from themselves, and in the name of "protecting the children". These laws fix outlying problems at the expense of everyone else.

Re:Award scholarships for under-aged people (5, Informative)

Synerg1y (2169962) | about a year ago | (#43851281)

OP is a dumbass, there aren't any legal complications here, just policy:

Kugler has a record for finding security problems. He's received two payments for US$4,500 from Mozilla for finding two problems in its Firefox browser and also was listed as a noted security researcher by Microsoft last month.

Mozilla had no problem paying him.

Re:Award scholarships for under-aged people (1, Insightful)

davmoo (63521) | about a year ago | (#43851655)

Mozilla is not a publicly traded corporation and all profits are plowed back in to Mozilla.

PayPal's parent eBay, on the other hand, is a publicly traded corporation who's goal is to make a profit for stock holders. Thus laws for it are very different.

Comparing a Mozilla bug payment to a PayPal bug payment is a very apples to oranges comparison.

And you need to learn how to debate an issue without attacking others by calling them "dumbass".

Re:Award scholarships for under-aged people (1)

Trimaxion (2933647) | about a year ago | (#43852493)

Mozilla is not a publicly traded corporation and all profits are plowed back in to Mozilla.

PayPal's parent eBay, on the other hand, is a publicly traded corporation who's goal is to make a profit for stock holders. Thus laws for it are very different.

Honest question:

Are you saying that Mozilla has fewer constraints with respect to paying minors because it is a non-profit org?

What if we were talking about a privately held for-profit corporation? Would they be constrained just as the publicly traded corp is?

Yeah I know... ask a lawyer... :(

Re:Award scholarships for under-aged people (3, Interesting)

Synerg1y (2169962) | about a year ago | (#43852499)

None of what you said has anything to do with the age of the bug researcher. Still a pretty stupid argument imo, name one law that would prevent a 17 year old from getting paid for finding a bug.

I do however agree that they are not the same company and would go about writing their policy around it differently, but that has nothing to do with the legality of it whatsoever.

Your "insightful" off point and irrelevant statement got mine downmodded you ho. J/k :)

And one more time just to be clear: corporate policy != law and amen for that.

Re:Award scholarships for under-aged people (0)

Anonymous Coward | about a year ago | (#43853415)

I thinks its safe to presume PayPal wants to keep the bug secret or control how / when he talks about it in exchange for the reward. They can not enter into a contract with a 17 year old minor so they don't give him the money. They aren't paying for finding the bug, they are paying for silence and control over it after its found. The $ for finding phrasing is just better PR wording.

Re:Award scholarships for under-aged people (1)

Synerg1y (2169962) | about a year ago | (#43853501)

AC, it's actually an NDA that makes the most sense that they would make him sign, a contract has a start and end date, an NDA can say something like no disclosure till the bug is fixed.

My point stands, there's no legal problem here as NDAs are not age specific.

http://en.wikipedia.org/wiki/Non-disclosure_agreement [wikipedia.org]

Re:Award scholarships for under-aged people (1)

Anonymous Coward | about a year ago | (#43855217)

From your link:

"A non-disclosure agreement (NDA), also known as a confidentiality agreement (CA), confidential disclosure agreement (CDA), proprietary information agreement (PIA), or secrecy agreement, is a legal contract between at least two parties"

Re:Award scholarships for under-aged people (0)

Anonymous Coward | about a year ago | (#43853703)

The bug reporters age and the type of company or corporation involved do not change anything about this scenerio. Paypal is not prohibited from paying this individual by law. If you honestly think there is a law prohibiting such then you need to provide the citation. Paypal is currently choosing to not pay this individual based on their own policies and nothing else.

Re:Award scholarships for under-aged people (0)

Anonymous Coward | about a year ago | (#43857151)

You stupid fucking moron, stop posting utter nonsense. Full of yourself and completely wrong, really a winning combination.

Re:Award scholarships for under-aged people (0)

Sarten-X (1102295) | about a year ago | (#43851703)

Parent is a dumbass, "somebody else did it first" isn't a legal defense, just wishful thinking.

...especially when the "somebody else" is a completely different type of entity operating in a different jurisdiction with different laws and in different circumstances.

Re:Award scholarships for under-aged people (0)

Anonymous Coward | about a year ago | (#43851993)

"somebody else did it first" isn't a legal defense

Um, yes it is [wikipedia.org] .

...especially when the "somebody else" is a completely different type of entity

Ok, here you have a point.

Re:Award scholarships for under-aged people (0)

Anonymous Coward | about a year ago | (#43852273)

His first point stands, too. That isn't how precedent works.

Re:Award scholarships for under-aged people (0)

Anonymous Coward | about a year ago | (#43857433)

PP policy should have had an underlining clause, "if you are under 18 you will need parents/legal guardians permission to claim prize" How f***ng retarded can paypal be over a simple line? Oh wait considering how they f*** people over, time and time again they are retarded.

Mozilla is open-source, and more, open, to giving out rewards not based on age, they want people of any age to be involved, you know what they say? Youth is the future. Thats difference between corrupt closed companies like PayPal, and open source companies like Mozilla.

Love there PR attempt by the way, yes, come out and say someone else found it, after it becomes a internet media frenzy, classy, real classy.. Again to retarded to put in the email to the young man "XXXXXX found this bug, sorry"

Re:Award scholarships for under-aged people (0)

RoboRay (735839) | about a year ago | (#43851403)

Thank your child labor laws and overprotective nanny state.

Re:Award scholarships for under-aged people (1)

Joce640k (829181) | about a year ago | (#43852727)

"Legal Complications"

If there is legal reasons to not award people under the age of 17 with rewards and such for doing good, then the law is wrong. But then again, this is the "nanny state" where we write laws to protect people from themselves, and in the name of "protecting the children". These laws fix outlying problems at the expense of everyone else.

And remember...this is Germany, where 16 is the legal age for getting a job.

Re:Award scholarships for under-aged people (1)

CanHasDIY (1672858) | about a year ago | (#43851321)

That should sidestep all the legal complications.

Or, they could do what child-oriented contests and websites have done since time unknown:

Kids! Get your parents to submit written permission and you too can take part in whatever the hell it is we're doing!

Re:Award scholarships for under-aged people (0)

Anonymous Coward | about a year ago | (#43854605)

a circle jerk?

Re:Award scholarships for under-aged people (1)

anthony_greer (2623521) | about a year ago | (#43851379)

it was promised as a cash reward, don't force him to spend it on university...put it in escrow and cut him a check when he turns 18 if there is an age issue

Re:Award scholarships for under-aged people (3)

Guppy (12314) | about a year ago | (#43851753)

And give the scholarship a grand-sounding name, so the kid can get some extra mileage in buffing his resume; such documents are often read by non-technical personnel who might misunderstand "Earned $**** reward for finding security vulnerability" (OMG HAX!), but would love to see something like "Recipient of the Paypal Merit Scholarship for Computing Security Excellence in Youth".

Re: Award scholarships for under-aged people (0)

Anonymous Coward | about a year ago | (#43854623)

Hey Kid,

Get your parents to sign off and we will hire you full time to hack against the Chinese

Signed
Uncle Sam

Why restrict it at all? (3, Insightful)

HalAtWork (926717) | about a year ago | (#43850929)

It's a voluntary process, why would they need to restrict it? It's not like it's forced child labor. If anything, it's a learning experience.

Re:Why restrict it at all? (5, Insightful)

idontgno (624372) | about a year ago | (#43851007)

If anything, it's a learning experience.

Indeed. A valuable lesson for any impressionable youth to learn: Paypal will work very hard to screw you out of anything it can. Unless the PR blowback gets bad enough.

(Paypal can apparently tolerate a certain low buzz of "Paypal sucks". They have considerably more trouble with Streisand-amplified flack.)

Re:Why restrict it at all? (0)

Anonymous Coward | about a year ago | (#43851803)

(Paypal can apparently tolerate a certain low buzz of "Paypal sucks". They have considerably more trouble with Streisand-amplified flack.)

Just wait until there are only monopolies left, and every damn one of them can tolerate a certain "buzz" of YourCompany sucks. Facebook can piss people off DAILY (charging money to send emails to the Inbox, the #FBRape campaign, and an endless shitstorm of we're-changing-default-privacy-settings-again), and yet they simply DO NOT CARE.

Why?

The answer is simple. Sheer numbers. As in so many damn customers there's no way you could do something to offend them all, thus almost guaranteeing success regardless of negative publicity. Charging money for individual emails would have strung CIOs up by their Startacs 10 years ago. Now, it's "meh". And people pay. And pay. And pay.

Slap a contract on top of that, and now you've got your pissed off customers right where you want them. Kind of like the recent "surcharge" AT&T imposed on every single wireless customer that generated millions overnight.

Re:Why restrict it at all? (0)

Anonymous Coward | about a year ago | (#43852133)

Charging money for individual emails

You realize that it doesn't actually cost anything if you're allowed to by the person right? Facebook is horrible in all of the ways you mention, but at least pick your examples right. The point is sane, if people are willing to pay money to Facebook to email a stranger, they probably have something important enough for the email to go through. It's a way for artists and others to be more lax in their policy without having endless spam messages delivered daily.

It's also a way for Facebook to make easy money, I'm not naive. But they're making money off something you just couldn't do before, not charging for a service that already existed. You can still send emails for free to people who trust you, and you can still block the feature entirely if you want, but unlike before there's now a step in between.

Re:Why restrict it at all? (0)

Anonymous Coward | about a year ago | (#43852237)

Just WAIT until they find out how real estate works!

Re:Why restrict it at all? (1)

Intrepid imaginaut (1970940) | about a year ago | (#43851035)

There may be some sort of 'ability to enter into legally binding contracts' thing going on. But seriously just hold the payment till he turns 18. Happy birthday kid!

People make things so hard for themselves sometimes.

Re:Why restrict it at all? (1)

nitehawk214 (222219) | about a year ago | (#43851127)

It's a voluntary process, why would they need to restrict it? It's not like it's forced child labor. If anything, it's a learning experience.

Yeah, he learned that he should never report a vulnerability. At best, you get nothing for your trouble, at worst you get the FBI breaking down your door and you get Aaron Swartz'd by some overzealous DA.

Re:Why restrict it at all? (1)

mark-t (151149) | about a year ago | (#43851617)

Or, you deal with them through an adult... say, your parents.

Re:Why restrict it at all? (3, Insightful)

TheCarp (96830) | about a year ago | (#43851147)

There is only one reason to restrict it...legal CYA. Remember everywhere in the world makes their own laws and many of them have restrictions on what one can do with young people, which includes paying them.

Does paying a minor, even for such a voluntary action, require parental approval? If a 15 year old submits a bug, gets paid, and uses the money to buy drugs, could the parent sue, claiming they were irresponsible to give so much money to a teenager directly?

Remember, lawmakers are lazy, they like to be overly broad or not think things through, I could totally see legislative attempts at curbing anything from drug use to underage prostitution hamfistedly creating problems here. Law is often not limited by its own intentions.

In the end, I bet the answer has three letters: CYA:

"What are the implications of allowing people under 18 to submit bugs?"
"It depends on......."
"Ok sorry I asked; no submissions from people under 18."

Re:Why restrict it at all? (1)

noh8rz10 (2716597) | about a year ago | (#43851847)

If a 15 year old submits a bug, gets paid, and uses the money to buy drugs, could the parent sue, claiming they were irresponsible to give so much money to a teenager directly?

let me answer your question with a blanket YES - anybody can sue anybody for anything, for any claim. then it becomes a probability game of their odds of winning, the potential cost if you lose, and the cost of defending, even if you were to win. throw in some unquantifiables such as PR reputational costs, etc.

on the other hand, the plaintiff plays the same probability game, and will only sue if there's a good chance of seeing some $$. So it's all a rent-seeking game of thuggery and extortion. welcome to tort law.

Re:Why restrict it at all? (1)

TheCarp (96830) | about a year ago | (#43852077)

> on the other hand, the plaintiff plays the same probability game, and will only sue if there's a good
> chance of seeing some $$

Well no, its if they believe there is a good chance, which is different from whether there is, but also, whether there is depends on what court in what country. My point is, this looks pretty clearly like it was CYA from the begining and likely something they didn't think through since it was likely viewed as more trouble than its worth.

Re:Why restrict it at all? (1)

noh8rz10 (2716597) | about a year ago | (#43852575)

I don't think you know what CYA means... it means think in advance to minimize problems later! Sure it backfired here but there are probably hundreds of cases in which children probably as young as 11 would have sought rewards even though it would be violating child labor laws worldwide. is this what you want, for Paypal to engage child labor to search for bugs?

Re:Why restrict it at all? (1)

TheCarp (96830) | about a year ago | (#43858961)

I don't consider that child labor so no. However, if you do, then yes, that's exactly what I would want; regardless of the label you put on it.

Re:Why restrict it at all? (1)

noh8rz10 (2716597) | about a year ago | (#43860835)

obviously you do not have children. if you ever do you will see what I mean... trust me grasshopper...

Re:Why restrict it at all? (1)

TheCarp (96830) | about a year ago | (#43861585)

obviously the hormonal impact of having children has clouded your ability to understand what child labor actually means and why it is generally banned. If you ever do get beyond that you will see what I mean, trust me.

Re:Why restrict it at all? (1)

Khyber (864651) | about a year ago | (#43852101)

""What are the implications of allowing people under 18 to submit bugs?""

If you won't pay them as promised, someone else will.

Mr. Kugler should be checking his paypal account for the tidy sum I just tossed his way.

I hope PayPal is happy, because now I know how deep this rabbit hole goes, and it's a SEVERE PCI-DSS violation, which I shall be reporting, or exploiting, I'm not sure of which, yet.

Either way, there's about to be a HUGE shitstorm for paypal, and this will likely end up having them fully-regulated as a bank in the USA.

And if PayPal stops his account for suspicious activity, I'll use this exploit to send EVERY PayPal member's money to him. Just to demonstrate why systems like this NEED to be fully-regulated and inspected on a WEEKLY basis.

Re:Why restrict it at all? (2)

c (8461) | about a year ago | (#43852295)

Does paying a minor, even for such a voluntary action, require parental approval?

According to the terms of the program, yes.

"Payment is paid out through a verified PayPal account, once the bug is fixed." [paypal.com]

A minor can't have a PayPal account. As well, there's a "Terms for participation" which implies a contract to submit the bug. If a minor can't enter a contract, they can't agree to the terms.

Re:Why restrict it at all? (1)

TheCarp (96830) | about a year ago | (#43852469)

That is kind of tangential to the point though. Yes, those are the terms, but, what the terms are doesn't address what they can be or why they are the way they are. I meant in more general terms, can you legally pay a minor without permission from their parent? Certainly, I imagine there are places and situations where you can, unambiguously and legally do so, but its not hard at all to imagine places and situations where you cannot or where whether you can is ambiguous.

I think this really boils down to a bunch of CYA, easiest thing to do with "minors" is set the cutoff age around where most countries make the distinction and sidestep the whole issue by not allowing minors, which, appears to be exactly what paypal decided to do.

Not that I blame them for wanting some CYA or wanting to punt on the whole issue, I wouldn't be shocked at all if the age limit came about as a response from the lawyers about how much research it would require.....or.... to simply the scenario even more, its not even a given that they ever considered the age issue. Its entirely likely it went like this:

"Legal said we are good on the bug bounty program, but this is the language they want added to the rules."
"Looks good, post it."

Re:Why restrict it at all? (1)

bill_mcgonigle (4333) | about a year ago | (#43853529)

Good analysis.

If a 15 year old submits a bug, gets paid, and uses the money to buy drugs, could the parent sue, claiming they were irresponsible to give so much money to a teenager directly?

Just to strip away the euphemisms here for clarity - Paypal likely isn't afraid of paying the youngster for good work - it's afraid of what government thugs might do to them if they do.

I'd rather live in the world where a youth can be rewarded for diligent, intelligent work.

Re:Why restrict it at all? (1)

steelfood (895457) | about a year ago | (#43853913)

It's all about lawsuits. Laws cannot be written with every specific case in mind (and probably should not). The very purpose of judges (and juries) is to determine the application of law in each specific case.

The problem (in this case) is neither the judges nor the lawmakers. It's the lawyers, and the sue-happy culture. A large company's primary goal operationally is to avoid lawsuits. It's not to make money. It's not to create products. it's the avoid lawsuits. That should tell you everything about the culture.

Re:Why restrict it at all? (1)

stephanruby (542433) | about a year ago | (#43854171)

There is only one reason to restrict it...legal CYA.

"PayPal security is sooo bad, even a six years old can break it. "

That would be another reason for placing an age limit on people who submit bugs, possible embarrassment.

Re: Why restrict it at all? (1)

skywire (469351) | about a year ago | (#43851177)

Child labour laws usually prohibit voluntary labour by persons under a certain age (with varying ages, transitional age ranges allowed to work limited hours, etc.).

Re: Why restrict it at all? (1)

CanHasDIY (1672858) | about a year ago | (#43851351)

Child labour laws usually prohibit voluntary labour by persons under a certain age (with varying ages, transitional age ranges allowed to work limited hours, etc.).

Indeed; in the USA, that age is generally 16 (although exceptions do apply for work permit holders and farm kids)

Re: Why restrict it at all? (1)

ganjadude (952775) | about a year ago | (#43851605)

yet you can be 14 and work at a mcdonalds, at least in NY

Re: Why restrict it at all? (1)

Khyber (864651) | about a year ago | (#43852121)

With highly restricted hours, and if McDonald's isn't following that restriction, they're about to get fucked, royally. Won't matter if it's an independent franchise or not.

Re: Why restrict it at all? (1)

ganjadude (952775) | about a year ago | (#43853151)

yes you are correct. I addressed it lower in the thread.

Re: Why restrict it at all? (1)

CanHasDIY (1672858) | about a year ago | (#43852557)

yet you can be 14 and work at a mcdonalds, at least in NY

I figured as much; hence my use of the term, "generally."

In Missouri, employing anyone under the age of 16 requires a valid work permit (exception made for farm hands).

Re: Why restrict it at all? (1)

ganjadude (952775) | about a year ago | (#43853141)

I forgot to mention that you do need a work permit, 14-15 are restricted to some jobs (mcdonalds) and can only work a total of 20 hours and no more than 3 hours on a school day and not past 7 PM (things may have changed in the past 15 years but ..woah damn im old) 16-17 can work 32 hours or something and no more than 4 hours on a school day and not after 10 PM

Re:Why restrict it at all? (1)

thomasw_lrd (1203850) | about a year ago | (#43854699)

Really it seems like this is a way to force younger people into criminal hacking. Hey, I found a bug on Paypal, I could do the responsible thing, and turn it in and not get paid, or I could exploit it and get paid even better. As if I needed anymore reason to hate Paypal.

Why don't they just admit it. (0)

Anonymous Coward | about a year ago | (#43850935)

Why don't they just admit they don't want to pay him - or anyone.

Re:Why don't they just admit it. (1)

gl4ss (559668) | about a year ago | (#43850977)

Why don't they just admit they don't want to pay him - or anyone.

wouldn't get free work then.
the right thing to do that wouldn't have been a pr snafu would have been to told him that he'll get his reward when he turns 18.. not that giving minors money would be illegal anyhow.

is their rewards program constructed as a shuffle??

This kid pointed out Paypal's Biggest Vunerability (2)

garcia (6573) | about a year ago | (#43850941)

Their poor policy and the public's perception of that company. The more people hear about PayPal's poor internal decision making the better off everyone is about avoiding their biggest vulnerabilities.

tinfoil hat (0)

Anonymous Coward | about a year ago | (#43850953)

Paypal pulling out their tinfoil hat. They could have told that to the researcher and this all would have been avoided.
I smell bullshit.

Make payment to parents or guardians (1)

techdolphin (1263510) | about a year ago | (#43850985)

It seems obvious to me, but if Robert Kugler is too young to receive the award, then arrange to make the payment to a parent or guardian. If somebody else discovered the vulnerability first, then again, obviously, that should have been stated in the initial contact.

Re:Make payment to parents or guardians (1)

bmo (77928) | about a year ago | (#43851071)

This all assumes that there is some sort of legal restriction on giving money for things like this.

There isn't.

--
BMO

Re:Make payment to parents or guardians (3, Informative)

g0bshiTe (596213) | about a year ago | (#43851095)

He did ask that payment be sent to his parents account, they denied it.

Re:Make payment to parents or guardians (1)

Culture20 (968837) | about a year ago | (#43851313)

It's not about the money, it's about the signing over of rights.

Re:Make payment to parents or guardians (1)

Joce640k (829181) | about a year ago | (#43851669)

It seems obvious to me, but if Robert Kugler is too young to receive the award

Is there an age restriction on owning money?

I'll try to remember that the next time I see girl scouts selling cookies.

And I'll notify the authorities immediately if I see any kids mowing the neighbors lawn. It's my moral duty.

Re:Make payment to parents or guardians (0)

Anonymous Coward | about a year ago | (#43851923)

No, but there's age restrictions on entering contracts. Minors can enter contracts but can also freely back out before the age of majority. Not very likely in this case, but a company can easily find itself in trouble by entering into a contract with a minor.

Re:Make payment to parents or guardians (1)

Joce640k (829181) | about a year ago | (#43852653)

Who said anything about a contract? Why would you need one, are there any intellectual property rights on a vulnerabilities/bugs? Does he need to sign the ownership rights over to them so they can collect royalty payments from people who exploit it?

He reported a vulnerability, they acknowledged it exists and that he's reported it to them.

They're not employing him or entering into an ongoing business relationship with him, they need to STFU and give him his money as promised.

Re:Make payment to parents or guardians (1)

Khyber (864651) | about a year ago | (#43852137)

"Is there an age restriction on owning money?"

Why yes, there is, especially if something has been found to be in violation of child labor laws.

But, this isn't the matter.

Sure, PayPal. (0)

Anonymous Coward | about a year ago | (#43850995)

Let's say that we're reviewing the qualifying age so that we can get these internet assholes off our case.

Oh, but we don't want to actually pay anything, so let's also say someone else already submitted the bug.

Paypal Ebay screws kid out of bug bounty (0)

Anonymous Coward | about a year ago | (#43851017)

Sure sure, we know

PayPal (0)

Anonymous Coward | about a year ago | (#43851029)

Can we dedicate this thread to finding alternatives to PayPal so people don't have to interact with this horrible company and its practices.

Re:PayPal (1)

g0bshiTe (596213) | about a year ago | (#43851115)

Bitcoin

Re: PayPal (0)

Anonymous Coward | about a year ago | (#43851377)

Nope. Try again.

Money laundering (1)

tepples (727027) | about a year ago | (#43851963)

The problem with Bitcoin is the difficulty of exchanging it for offline money. The governments of major countries have been cracking down on BTC exchanges [rt.com] , claiming that their potential for money laundering outweighs any lawful benefit they might offer. PayPal is big enough to be able to afford compliance with money laundering regulations.

But one alternative to PayPal is Dwolla, the payment processor that people used to use to get their money in and out of Mt. Gox.

Re:Money laundering (1)

Fnord666 (889225) | about a year ago | (#43852731)

But one alternative to PayPal is Dwolla, the payment processor that people used to use to get their money in and out of Mt. Gox.

Another alternative would be LibertyReserve...what's that? ... oh, never mind.

Legal issues? I hardly knew her. (1)

yuukari (2934491) | about a year ago | (#43851137)

To be fair I can see where paypal is coming from, trying to cover their rears in case of some problems with the law when it comes to paying minors a lump sum, however if Kugler had found the bug he should've been awarded the money. If it wasn't stated in their fine print they have no choice, in my opinion. (That being said, you need to be eighteen in order to even have a paypal account, so it should render the point null).

Just shut up and pay the kid (1)

anthony_greer (2623521) | about a year ago | (#43851277)

That is all

Can't 'Legally' Pay a 17-Year-Old? (4, Insightful)

CanHasDIY (1672858) | about a year ago | (#43851401)

Pure, unfiltered bullshit.

Evidence: 16-year-olds who work at McDonald's.

C'mon, PayPal; Fuckin' a kid around is bad enough, but then having the balls to lie to his face about why? That's uber-dickish.

Re:Can't 'Legally' Pay a 17-Year-Old? (0)

Anonymous Coward | about a year ago | (#43851975)

I'm not saying you are wrong about Paypal being dickish or that they couldn't have found some way to pay him, but your comparison sucks. Those 16-year-old McDonald's employees work under all kinds of restrictions (e.g., what hours they can work) and are actual employees. It's not the same thing. I think Paypal would rather not pay some kid than to run afoul of child labor laws (and the even worse bad press they'd get).

Re:Can't 'Legally' Pay a 17-Year-Old? (1)

Joce640k (829181) | about a year ago | (#43852685)

run afoul of child labor laws

Was Paypal employing him? Did they have any prior contact with him? Have they ever paid him money before?

If people aren't allowed to buy things off minors then the Girl Scouts of America are completely screwed.

Re:Can't 'Legally' Pay a 17-Year-Old? (1)

DerekLyons (302214) | about a year ago | (#43853025)

Pure, unfiltered ignorance

On your part, yes. (I.E. TFTFY).
 

Evidence: I didn't know that16-year-olds who work at McDonald's only do so under special legal restrictions and with parental permission.

Fixed that for you too.
 

C'mon, PayPal; Fuckin' a kid around is bad enough, but then having the balls to lie to his face about why? That's uber-dickish.

Seriously, get a clue what you're talking about. The terms of the program require an active PayPal account - which a minor can't have. The only dick in this situation is the one puffing out his chest and prattling on about things he knows nothing about.

Re:Can't 'Legally' Pay a 17-Year-Old? (1)

CanHasDIY (1672858) | about a year ago | (#43853423)

Pure, unfiltered ignorance

On your part, yes. (I.E. TFTFY).

 

Evidence: I didn't know that16-year-olds who work at McDonald's only do so under special legal restrictions and with parental permission.

Fixed that for you too.

You didn't fix shit, you cocky asshole. I've worked since I was 15, and guess what? Never needed parental permission, and the only "special legal restrictions" I dealt with were that I wasn't supposed to work past a certain time (10 PM I think) on schooldays, though that never stopped management from scheduling me til close.

Spend a little more time doing research, and a little less time being so sure of yourself, and maybe next time you won't come off as such an arrogant, know-nothing prick.

Re:Can't 'Legally' Pay a 17-Year-Old? (1)

DerekLyons (302214) | about a year ago | (#43853649)

You didn't fix shit, you cocky asshole. I've worked since I was 15, and guess what? Never needed parental permission, and the only "special legal restrictions" I dealt with were that I wasn't supposed to work past a certain time (10 PM I think) on schooldays

Then you worked under very unusual circumstances. And you're ignorant enough to mistake them for being universal. (As if your inability to express yourself without profanity wasn't example enough of your ignorance.)
 

Spend a little more time doing research, and a little less time being so sure of yourself, and maybe next time you won't come off as such an arrogant, know-nothing prick.

Your mistake (one among many) lies in thinking I didn't do research... And being " arrogant, know-nothing prick", that's a label often applied to me by ignorant people to justify their own ignorance. It doesn't bother me one bit.

Re:Can't 'Legally' Pay a 17-Year-Old? (0)

Anonymous Coward | about a year ago | (#43854017)

Exactly. And now the PR spinmeisters are trying to do some damage control... how lame!

Fuck paypal.

Re:Can't 'Legally' Pay a 17-Year-Old? (0)

Anonymous Coward | about a year ago | (#43857229)

You're making the mistake of thinking the Jati Jackasses running PayPal are concerned about rational thought. The broomstick is stuck too far up their self-important pompous ass to be concerned about anything beyond themselves and their immediate family managing their Serf powered Communist Monarchy.

escrow? (1)

anthony_greer (2623521) | about a year ago | (#43851421)

If there is an age issue, couldn't they just toss the funds into escrow, maybe an interest earning money market, and cut him a check on his 18th B-Day?

Already reported (1)

Anonymous Coward | about a year ago | (#43851569)

Sure it was. Does anyone actually buy this?

Excellent motivation and publicity, Paypal! (1)

Bearhouse (1034238) | about a year ago | (#43851573)

Well done guys.
Clear message here kids; next time sell the exploit in a black hat forum.

Paypal, proudly fucking you over since 1998.

The message: (4, Interesting)

Opportunist (166417) | about a year ago | (#43851747)

When you're young, don't report the bug to the company in question or the authorities, report it to those that can make "good use" of them. Not only do they not have any problem with you being underage, you being underage also means you most likely won't be doing time if you get caught.

It's just so win-win...

Re:The message: (2)

Insightfill (554828) | about a year ago | (#43852671)

When you're young, don't report the bug to the company in question or the authorities, report it to those that can make "good use" of them...It's just so win-win...

Yes, this comment was by the "Opportunist".

Whose Account ? (3, Interesting)

the eric conspiracy (20178) | about a year ago | (#43851767)

PayPal has account eligibility requirement that you must be 18 to open an account. And yes I checked it applies in Germany.

Also you aren't supposed to let others use your account.

So how did he avoid these terms of service?

Re:Whose Account ? (0)

Anonymous Coward | about a year ago | (#43852301)

He discovered a security vulnerability... I'm sure there's something in the Paypal terms of service along the lines... "DO NOT HACK US"

So how did he avoid these terms of service and why isn't paypal acting on his breaking them. So they're okay with him finding a security vulnerability even though he probably had to break their terms of service, but they won't compensate him for his efforts because THAT is against the ToS. It's kind of a Catch -22, could he have sold the vulnerability instead... you see how this works against Paypal no matter what.

Re:Whose Account ? (1)

stephanruby (542433) | about a year ago | (#43854299)

So how did he avoid these terms of service?

It's a thing called parental supervision.

No doubt one parent could have submitted the bug and gotten the money if it had just been a question of money, but how will the child be able to claim credit for discovery to his friends, to a school he will apply to, or on his resume, if instead of his own name, the name of one of his parents is listed on PayPal's web site as the person responsible for the bug discovery.

only feel a little sorry for him (1)

RedHackTea (2779623) | about a year ago | (#43851845)

At first, I didn't feel sorry at all. Usually, the guidelines specifically point out you must be 18+, and you agree to this upon submission. But then, I couldn't find anything about age restrictions [paypal.com] . However, it does say "The bug bounty program is subject to change or to cancellation at any point without notice." and a bunch of other "Hey, we can screw you over if we want, and you agree to this upon submission." Therefore, I feel a little sorry for the guy because there is NO indication of an age restriction, but it's clear that Paypal can screw you over if they want (just like any legal Terms and Conditions that we all agree to everyday). If you don't want to be screwed over, just don't submit bugs. Submit bug reports for FOSS projects instead... or, call up Paypal and scream, "Show me the money!"

More valuable than a monetary reward (0)

Anonymous Coward | about a year ago | (#43851931)

Why not offer this kid an internship?

Backpedaling doesn't make you look better.... (1)

realsilly (186931) | about a year ago | (#43852093)

....PayPal, it just makes you look worse. If you had that vulnerability found already, there should have been something posted somewhere.

At this point, the only way for PayPal to save face is to dole out the reward and create a new policy stating all of the rules and when the bug is reported and verified, it should be posted immediately.

Re:Backpedaling doesn't make you look better.... (1)

GameboyRMH (1153867) | about a year ago | (#43852547)

Came here to say this. "Reported by another researcher" could be a very handy boilerplate response if there's no list of found vulnerabilities. They could even post a hash of a vulnerability's description until they fix it.

Here's another idea for Paypal (1)

Dahamma (304068) | about a year ago | (#43852591)

They should ban minors from hacking their site for personal gain and entertainment as well. That would probably cut down on the majority of the script kiddie attacks, and of course would be 100% effective.

Or even better, arbitrarily RAISE the age at which people are legally allowed to hack their site - that could eliminate ALL security issues, and they'd have no need for bug bounties at all... this security stuff is so damn easy!

Something is wrong... (1)

Larry_Dillon (20347) | about a year ago | (#43854245)

They received something of value and didn't pay up. I see this as a problem. They should have to give the money to the charity of the kids choice or something like that.

Two More Unreported Bugs (0)

Anonymous Coward | about a year ago | (#43863603)

Two security issues, one serious, I've known about for several weeks are still unknown. I'm thoroughly enjoying myself, while I just watch and wait; the resulting Karma will be a bitch. (Hint: viewing account data.)
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...