InnovationTechnologyResearch and Insights
In April 2020, PayPal CTO Sri Shivananda posted a two-part Q&A with the lead of PayPal’s Bug Bounty Program on his LinkedIn page to help readers better understand our relationship with the security research community. Here are the top five things to know about bug bounties at PayPal.
- PayPal invests a lot of money in building secure platforms, creating strong defenses and protective systems, but we also run a bug bounty program in partnership with HackerOne to make our products and services more secure. Since 2012, PayPal has paid out more than $6M – $2M in 2019 alone – to roughly 3,000 ethical hackers who have participated in our bug bounty program.
- PayPal has one of the industry’s higher bounty pools, and we try to be as transparent as possible around scope, communicating about why we make certain decisions, and using objective measures like CVSS (Common Vulnerability Scoring System) to help clarify why something may or may not have been accepted into the program.
- We work closely with ethical hackers to disclose issues raised in bug bounty submissions. The decision whether or not to allow disclosure does not have to do with the severity of the bug, but rather if disclosing it we will cause greater harm or risk to others, our customers or our partners. Sometimes it’s not in our control; if a bug involves a vendor feature, that vendor might want to see the patch rolled out first before we could allow for disclosure.
- Not all ethical hackers in our bug bounty program have a background in coding, hacking or security research - they may be someone that got introduced into the program because they're passionate about breaking things in an ethical manner and are looking to make a difference in their lives. We’ve seen hackers able to buy their parents a house, get out of debt, and even pay for their wedding with the bounty, and so on.
- Our HackerOne page has a leaderboard of our top hackers, daily updated program statistics showing total bounties paid, bounties paid in the last 90 days, number of reports resolved and hackers thanked.
You can read the full Q&A here. Part I | Part II