The Hacker News
Bug Bounty program, where white hat hackers and researchers hunt for serious security vulnerabilities and disclosing them only to the vendor for a patch , In return vendors rewards them with money.

Various famous websites like Facebook , Google , Paypal , Mozilla, Barracuda Networks and more other giving away bug bounties in thousands of Dollars to hackers for finding vulnerabilities.

Most common vulnerabilities reported maximum time on various sites is Cross site scripting and each month hackers submit lots of such vulnerabilities to companies.

In case your report is duplicate, i.e. Someone else before you submit the same vulnerability - company will reject you from the bug bounty program. But there is no proof or an open Panel where hacker can verify that is someone already reported for same bug before or not. If company reply you - "The bug was already discovered by another researcher" , can you do anything even after knowing that you are very first person who found it ? I guess, NO !

Something similar happens to me even 17 times this year, when I ( Mohit Kumar ) reported various bugs in Google and Facebook , and always reply was - "We are aware about the issue, so you are not eligible for bounty program". The Question is, THEN WHY THE HELL YOU ARE STILL VULNERABLE ?
Paypal being the largest eCommerce business offer's Bounty to its security researcher's for reporting the vulnerabilities discovered and keeping it confidential. One of my close friends and Security researcher Christy Philip Mathew discovered total 8 vulnerabilities in Paypal this year, out of which 6 'The Hacker News' reported directly without going for Bug Bounty Program and latest two he submitted to PayPal before this disclosure article.

This time reply was same, "According to the terms and conditions Bounty is awarded to the first person that discovers the previously unknown bug."

The two vulnerabilities submitted by Christy was Cross site scripting in and iFrame Vulnerability at .

XSS was reported on 12th October 2012 and Paypal replied on 16th October 2012 ( 4 days to think that, should we give bounty to this guy ? ) With message "We regret to inform you that your bug submission was not eligible for a bounty for the following reason. The bug was already discovered by another researcher". On asking, can you proof or provide contact of that researcher who find it before him, there was not a single reply from Paypal after that.

Where as iFrame was reported on 10th October 2012 and Paypal reply on 7th November 2012 ( 1 month almost to discuss with founder that, if they ran out of budget this year then should we again reject to give bounty ? ). So, again the reply was - "The bug was already discovered by another researcher".

Are bounty programs playing fair with hackers and researchers ? We agree that there are millions of dollars distributed to hackers under the bug bounty program, but can anyone prove that they are paying for each and every legitimate submission ?

Majority of chances that, companies are not paying for each bug to the hunters and replying them - "we know about the issue". Well here hacker can prove this, Please note that - two vulnerabilities were reported by my friend to Paypal about 34 Days ago from the time of writing this article and even Paypal security team replied that they know the bugs, but still these vulnerabilities are working and Live.

For Readers we are going to disclose the Links below (Because now a hacker is not eligible for Bounty and Paypal team is really not serious about security of their own users)

Link for iFrame : Click Here (Open in Firefox)
Link for Cross site scripting : Click Here (Open in Firefox)
(Update: XSS fixed by PayPal just after posting this disclosure, but iFrame still working)

Screenshots are given below:
The Hacker News

The Hacker News

The Hacker News always motivates hackers to first Disclose vulnerabilities to vendors, because we take SECURITY IN A SERIOUS WAY. But what inspire hackers to sell stuff to underground market or to do PUBLIC DISCLOSURE is an irresponsible response of the Administrators.

Thousands of sites, programs and servers are today still vulnerable to hackers and there were researchers who contributed to the security of same companies even before the bounty program began.

One more thing, I want to mention here that - If we look Bug Bounty White Hat Hackers Lists, you will find 50% of reward hackers who even don't know how to code a website in PHP or ASP , but they are a hacker ! (Note: Rest 50% are much good in knowledge and I respect most of them like My other friend Avram Marius - known for Hunting hundreds of Bugs).

At least I would like to suggest big companies to make a transparent Bug Bounty Panel where hackers can at least see that, before them someone really submit similar bug and companies should at least fix/restrict the venerable pages as soon as possible.

Note : Today we also report about a Cross Site scripting bug in and reported the Apple Security Team, Reply was,"We already aware about the issue, Thank you" - Question is still same, then Why you didn't take any quick action ? And Even if I was the second person to inform about that, then why the bug is exploitable till now ?

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.