After it was revealed that the U.S. government is the biggest buyer of zero-day vulnerabilities, companies like Google and Facebook that pay "bounties" to security researchers for reported bugs admitted they are "hard-pressed to compete financially with defense-industry spending." PayPal started a bug bounty program last summer and listed cross-site scripting (XSS) vulnerabilities as within the company's scope of what types of flaws it will pay for. However, PayPal's security team seems to be ripping off a teenager, refusing to pay, based on the 17-year-old German hacker's age.
The hacker, Robert Kugler, is interested in "securing computer systems." He posted details of the XSS vulnerability on the Full Disclosure mailing list as well as PayPal's security team response.
"To be eligible for the Bug Bounty Program, you *must not*:
... Be less than 18 years of age. If PayPal discovers that a researcher does not meet any of the criteria above, PayPal will remove that researcher from the Bug Bounty Program and disqualify them from receiving any bounty payments."
PayPal does not mention any age requirement in its terms and conditions. As Threatpost pointed out, Kugler previously "dug up bugs for Microsoft - his name is listed in the security researcher acknowledgments last month - and found flaws in Mozilla's Firefox browser on two separate occasions."
Pay up, PayPal, as citing a hacker's age is a pathetic reason not to pay out. A vulnerability is a flaw that could adversely affect millions of PayPal customers, whether the person reporting it is age 10 or 100.
Microsoft's "hostility" to security researchers
Microsoft has been on the receiving end of bad karma for "hostility toward security researchers" in the past. After an unwise Microsoft PR spin in 2010 tried to blame Google for the "irresponsible disclosure" of a zero-day vulnerability by Google engineer Tavis Ormandy, anonymous security researchers formed the "Microsoft-Spurned Researcher Collective."
Ormandy has lashed out at Microsoft again for continuing to treat "vulnerability researchers with great hostility." He accused Microsoft of often being "very difficult to work with." He advised "only speaking to them under a pseudonym, using Tor and anonymous email to protect yourself."
Ormandy "publicly revealed a new unpatched security hole in the Windows operating system - a bug that can be exploited to crash systems or gain administrator privileges. The vulnerable driver is present in 'all currently supported versions of Windows'," reported The Register. Ormandy posted details on the Full Disclosure mailing list; on his blog, he asked others to also investigate the flaw.
Calling all hackers: National Civic Hacking Day
Despite the unfair way it seems to have gone down for these two security researchers, America desperately needs minds that think outside the box. This weekend, June 1 - 2, America is calling all hackers for the first ever National Civic Hacking Day.
"Civic Hacking Day is an opportunity for software developers, technologists, and entrepreneurs to unleash their can-do American spirit by collaboratively harnessing publicly released data and code to create innovative solutions for problems that affect Americans," according to the White House blog. "National Day of Civic Hacking is a call to action for anyone who wants to make a positive impact on their town, city, and country...The event is taking place in conjunction with Random Hacks of Kindness and Code for America's Brigade meetings and is being modeled after the Innovation Endeavors' Super Happy Block Party."
Hack for Change said National Day of Civic Hacking is for "engineers, technologists, civil servants, scientists, designers, artists, educators, students, entrepreneurs - anybody - who is willing to collaborate with others to create, build, and invent open source solutions using publicly-released data, code and technology to solve challenges relevant to our neighborhoods, our cities, our states and our country."
Not a hacker? No problem. The organizers wrote, "To us, a hacker is someone who uses a minimum of resources and a maximum of brainpower and ingenuity to create, enhance or fix something. Although in some circumstances it is used in a negative sense, the term is not inherently negative, nor does it even have to be related to technology."
So, in other words, it's not just calling all hackers; it's calling all Americans.
A growing list of datasets and resources include all sorts of topics, from government challenges to the ACLU's torture database. Most states have scheduled events, so I urge you to please get involved. For all the tarnish on the word "hacker," I truly believe that hackers can still "save" the world.
Like this? Here's more posts:
- Journalist threatened, warned not to write about face-recognition at Statue of Liberty
- Google to Microsoft on Windows Phone 8 YouTube app blocking ads: Cease and desist
- Skype accounts easily hijacked via Skype Support, warns hacker
- Microsoft: What are people really asking for when they ask for a Start button?
- U.S. government is 'biggest buyer' of zero-day vulnerabilities, report claims
- Reporters threatened with CFAA, labeled hackers for finding security hole
- Is Microsoft power-snooping on Skype conversations?
- Former FBI agent: All phone calls recorded, no digital communication secure
- Will Chinese hackers launch re-tread attacks into surveillance databases?
- Comedian Rob Schneider stars as Google Docs in Microsoft Office 365 videos
- Privacy and penny-pinching points of view about Xbox One
- Google's patent for email snooping? Microsoft offers your boss email spying powers now
- Fight for your privacy or lose it, says Eric Schmidt
Follow me on Twitter @PrivacyFanatic