A 17-year-old teen published 0day XSS at PayPal after he was denied a reward.

Robert Kugler, a 17-year-old student from Germany who is interested in computer security, found a vulnerability on paypal.com, and decided to report it as part of a reward program for bugs found. However, he was refused because he is under 18 years old. In response to this, he posted a vulnerability on seclists.org . Here is what he writes:

Hello all!



I'm Robert Kugler a 17 years old German student who's interested in

securing computer systems.

')

I would like to be cross-site

Scripting vulnerability!

PayPal Inc. is running a bug bounty program for professional security

researchers.



www.paypal.com/us/webapps/mpp/security/reporting-security-issues



XSS vulnerabilities are in scope. I have tried

to PayPal Site Security.



The vulnerability is located in the search function and can be triggered.

with the following javascript code:



'; alert (String.fromCharCode (88,83,83)) //'; alert (String.fromCharCode (88,83,83)) // ";

alert (String.fromCharCode (88,83,83)) // "; alert (String.fromCharCode (88,83,83)) // -

</ SCRIPT> "> '> <SCRIPT> alert (String.fromCharCode (88,83,83)) </ SCRIPT>



www.paypal.com/de/cgi-bin/searchscr?cmd=_sitewide-search



Screenshot: picturepush.com/public/13144090



Unfortunately PayPal disqualified me payment

because of being 17 years old ...



PayPal Site Security:



“To be eligible for the Bug Bounty Program, you * must not *:

... Be less than 18 years of age. If PayPal discovers that a researcher does

PayPal will remove that researcher from

the Bug Bounty Program and disqualify them from receiving any bounty

payments. "



I don’t want to pay

you are not interested in security

researchers ...



Best regards,



Robert Kugler

By the way, such programs from Mozilla and Google allow you to receive remuneration to participants under the age of 18, with the consent of the parents.