PayPal Shafts Teenager Out of Bug-Bounty Reward

Bug bounties are a great way for budding programmers and developers to earn a bit of extra cash. Companies that offer them pay hundreds and even thousands of dollars per bug, depending on the severity of the security vulnerability that was discovered, resulting in a more secure product by the vendor and a little more jingle in the pocket of the person who uncovered the buggy code. In theory, everyone wins, so why is PayPal refusing to compensate a teen for finding a vulnerability on its website? He's too young to participate.

Robert Kugler, a 17-year-old German student, claims he notified PayPal of the vulnerability in question on May 19, to which he received an email response indicating that since he's not 18 years old, he doesn't quality for PayPal's Bug Bounty Program, PCWorld reports.


One of PayPal's requirements is that bounty hunters have a verified PayPal account, which is how they're compensated. Kugler, who turns 18 years old next March, asked if PayPal could issue the reward to his parents' account. Failing that, he'd at least like to have some kind of written statement acknowledging his contribution so that he can list it on his resume when applying for jobs. He's yet to hear back from PayPal, though given the media attention this is receiving, it'd be surprising if the eBay-owned site held firm on its stance.

The bug Kugler discovered has to do with a Cross-Stie Scripting (XSS) vulnerability.