1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Went WhiteHat and Reported a Vulnerability to Paypal and Their Contradiction

Discussion in 'BlackHat Lounge' started by Elliot305, Apr 6, 2015.

  1. Elliot305

    Elliot305 Power Member

    Joined:
    Jul 21, 2010
    Messages:
    575
    Likes Received:
    1,671
    Occupation:
    Loophole/Exploit Specialist
    Location:
    In The Sun
    Long story short, a couple months back I found a vulnerability on PayPal and submitted my report to them (with evidence) via their Bug Bounty Program. A month goes by and I receive an email stating that my submission does not qualify for the program and I would not be receiving compensation for it. However, they immediately fixed the vulnerability I reported, lol. Fast forward to now and couple days ago I receive this email from them:

    In an effort to provide recognition to our research partners who have supported our security efforts, we are updating our Bug Bounty Wall of Fame to feature individuals like yourself who have made significant contributions over each quarter. We will refresh our listings on a quarterly basis to include both our top 10 researchers by quarter, as well as our honorable mention archive page for everyone that provided a valid submission over the course of our program.

    We would like to thank you for your efforts and congratulate you for being recognized in the first quarter of 2015. We would like to list your name and, if applicable, your credentials and the name of your organization, on our proposed Wall of Fame page which will be available in the coming months. In order to do so, we must have your consent. Please follow the instructions below and return to us at our eBay Inc Security email portal and return to us by 4/13/15.


    I thought it was interesting to see that they won't classify it as a vulnerability worth compensating me for yet are willing to include me in their 2015 Q1 Wall of Fame. Now don't get me wrong, I appreciate the offer to be recognized and will be submitting my name and website where I sell exploits/methods which may have an indirect value of getting more clients, but I'm confused why they elected to not offer compensation via the Bounty program but are willing to recognize me now. Have you guys heard of this type of contradiction before from companies offering bounties/rewards for something and then doing a quasi bait and switch by just giving you recognition for it? One would think if the information was valuable enough to be recognized for it via the Wall of Fame then why not be compensated like the program suggests? Anyway, curious to hear your thoughts. Thanks.
     
  2. GroundUp

    GroundUp Regular Member

    Joined:
    Jan 1, 2015
    Messages:
    333
    Likes Received:
    305
    Thoughts: fuckers
     
    • Thanks Thanks x 6
  3. archon10

    archon10 BANNED BANNED

    Joined:
    Oct 10, 2011
    Messages:
    1,181
    Likes Received:
    8,223
    wow that's pretty shitty man. What a bunch of assholes. At least Google pays.
     
    • Thanks Thanks x 6
  4. wizard04

    wizard04 Elite Member

    Joined:
    Apr 1, 2014
    Messages:
    2,698
    Likes Received:
    2,540
    Location:
    Outside your house
    Next time sell the glitch to the highest bidder, let the fuckers pay next time.
     
    • Thanks Thanks x 5
  5. royserpa

    royserpa Jr. VIP Jr. VIP Premium Member

    Joined:
    Sep 28, 2011
    Messages:
    4,986
    Likes Received:
    3,744
    Gender:
    Male
    Occupation:
    Negative Options aka Rebills!
    Location:
    Exploiting Loopholes!
    Home Page:
    I would have told them to pay me else i would abuse the vulnerability.
     
    • Thanks Thanks x 2
  6. Elliot305

    Elliot305 Power Member

    Joined:
    Jul 21, 2010
    Messages:
    575
    Likes Received:
    1,671
    Occupation:
    Loophole/Exploit Specialist
    Location:
    In The Sun
    Yeah it's a hard call to make as you don't want to cross the lines of extortion. I've dealt with the "pay me or I'll use it" type scenarios with casinos but did it in a role-play type scenario where I was acting as the middle-man/good guy. In other situations I had the casinos by the balls so they really had no choice, at least not a cost-effective one. With PayPal I had no clue what to expect or how strong their hand was, so to speak. They're too big to play the back and forth game and I couldn't speak with anyone in the tech and/or bounty program to show any strength to. So I went through that lame submission form and just waited for an answer.
     
  7. srb888

    srb888 Elite Member

    Joined:
    Jul 30, 2008
    Messages:
    3,267
    Likes Received:
    5,083
    Gender:
    Male
    Occupation:
    WebzSurfer
    Location:
    Sun, Mon, Tue, WTF, Sat!!! :)
    lol. They send their standard condolence email sounding a bit more nice though. :D Ever heard them handing rewards, in cash, to someone else?

    [​IMG]

    ^^ That guy has a lot lot better history than PP moneysuckers. ;)
     
  8. Nicheblogger

    Nicheblogger Regular Member

    Joined:
    Apr 29, 2014
    Messages:
    286
    Likes Received:
    189
    At least you will hopefully get a good link out of it. One thing I know for sure is ebay/paypal are as greedy as they come.
     
    • Thanks Thanks x 1
  9. Krusty

    Krusty Registered Member

    Joined:
    Jul 14, 2014
    Messages:
    86
    Likes Received:
    35
    why don't you contact someone higher up? tell them you have found further vulnerabilities but can't be bothered exposing them due to not getting compensated
     
    • Thanks Thanks x 1
  10. asap1

    asap1 BANNED BANNED

    Joined:
    Mar 25, 2013
    Messages:
    4,961
    Likes Received:
    3,185
    Fuck paypal, even tho I use them everyday I wish someone else would come into the market and take them over.

    I have a deep dislike of Paypal since they F'ed me and my money over.
     
    • Thanks Thanks x 1
  11. Elliot305

    Elliot305 Power Member

    Joined:
    Jul 21, 2010
    Messages:
    575
    Likes Received:
    1,671
    Occupation:
    Loophole/Exploit Specialist
    Location:
    In The Sun
    Well it's past tense now since they already received my report and patched it up. The Bounty program doesn't have direct support or contacts, just the general submission form. However, once I received that email about being mentioned I have a secure portal where I log in and can email them. So that probably will help going forward for direct contact if I find something in the future.
     
  12. srb888

    srb888 Elite Member

    Joined:
    Jul 30, 2008
    Messages:
    3,267
    Likes Received:
    5,083
    Gender:
    Male
    Occupation:
    WebzSurfer
    Location:
    Sun, Mon, Tue, WTF, Sat!!! :)
    PP has a heart of iron -- 100% rusted too. Nothing can touch it, or heal it... except may be a great competitor. I can see "him" coming, soon, and then PP will become history and its heart a scrap junk.
    [​IMG]

    PPRip somewhere inside that junk yard.
    :)
     
    • Thanks Thanks x 1
    Last edited: Apr 6, 2015
  13. Elliot305

    Elliot305 Power Member

    Joined:
    Jul 21, 2010
    Messages:
    575
    Likes Received:
    1,671
    Occupation:
    Loophole/Exploit Specialist
    Location:
    In The Sun
    LOL, what a bunch of d-bags:

    We mistakenly sent out the email notification below to all of our researcher community. Please note: We will only be adding researchers to our honorable mention archive page who submitted validated bugs over the course of our program. If you did not submit a validated bug to our program we will not be adding your name to our wall.

    We apologize for any confusion and appreciate your understanding.

    Sincerely,
    Bug Bounty Team


     
  14. GringoMonkey

    GringoMonkey Power Member

    Joined:
    Dec 26, 2013
    Messages:
    586
    Likes Received:
    224
    Occupation:
    Making and Spending Money Online
    It reinforces what anyone who has had dealings with Paypal experiences...they are a law until themselves and change the rules as they go along.

    Commonly known as, to paraphrase refexpert, a bunch of fuckers!
     
    • Thanks Thanks x 1
    Last edited: Apr 6, 2015
  15. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Jr. VIP

    Joined:
    Nov 10, 2012
    Messages:
    12,606
    Likes Received:
    34,749
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:


    Now that is a shame, being mentioned on the Wall of Fame would have been good exposure. You were unlucky this time.
    As I have suggested to you before, you should do a Computer Forensics/Computer Security course, get some credentials behind you and you may find a very lucrative career.
     
    • Thanks Thanks x 3
  16. pewep

    pewep Power Member

    Joined:
    Nov 3, 2008
    Messages:
    660
    Likes Received:
    2,896
    Gender:
    Male
    Occupation:
    Yogi-In-Training
    Location:
    U.S.
    Never, ever trust paypal on any level for anything. Learned that the hard way 2009-2010. They paid me up though, so we're even. Hate the fact that so many websites still use them.
     
    • Thanks Thanks x 1
  17. ok888

    ok888 Elite Member

    Joined:
    Nov 23, 2010
    Messages:
    2,369
    Likes Received:
    654
    100% agreed

    PayPal is horrible
     
    • Thanks Thanks x 2
  18. pewep

    pewep Power Member

    Joined:
    Nov 3, 2008
    Messages:
    660
    Likes Received:
    2,896
    Gender:
    Male
    Occupation:
    Yogi-In-Training
    Location:
    U.S.
    I'll bet you 10 bucks that some asshat working there took credit for your work and is now getting $paid$ and has his/her name on the archive. Yeah, they would really do that.
     
    • Thanks Thanks x 2
  19. Elliot305

    Elliot305 Power Member

    Joined:
    Jul 21, 2010
    Messages:
    575
    Likes Received:
    1,671
    Occupation:
    Loophole/Exploit Specialist
    Location:
    In The Sun
    I hear ya. Just been sticking with what I know best which is front-end exploiting without getting too tech involved on the back-end.
     
    • Thanks Thanks x 1
  20. EmailMaster

    EmailMaster Jr. VIP Jr. VIP

    Joined:
    May 28, 2011
    Messages:
    1,893
    Likes Received:
    556
    Occupation:
    Proxy & Account Seller
    Location:
    Canada
    yup it happen with me with fucking Instagram/Facebook, found a few exploits pretty big ones and they blew me off, I was so god damn mad about it, im like i saved you guys some legal problems but yet ur gunna fuck me thats total bs.
     
    • Thanks Thanks x 1