A 17-year-old teen published 0day XSS at PayPal after he was denied a reward.

Robert Kugler, a 17-year-old student from Germany who is interested in computer security, found a vulnerability on paypal.com, and decided to report it as part of a reward program for bugs found. However, he was refused because he is under 18 years old. In response to this, he posted a vulnerability on seclists.org . Here is what he writes:

Hello all!

I'm Robert Kugler a 17 years old German student who's interested in
securing computer systems.
')
I would like to be cross-site
Scripting vulnerability!
PayPal Inc. is running a bug bounty program for professional security
researchers.

www.paypal.com/us/webapps/mpp/security/reporting-security-issues

XSS vulnerabilities are in scope. I have tried
to PayPal Site Security.

The vulnerability is located in the search function and can be triggered.
with the following javascript code:

'; alert (String.fromCharCode (88,83,83)) //'; alert (String.fromCharCode (88,83,83)) // ";
alert (String.fromCharCode (88,83,83)) // "; alert (String.fromCharCode (88,83,83)) // -
</ SCRIPT> "> '> <SCRIPT> alert (String.fromCharCode (88,83,83)) </ SCRIPT>

www.paypal.com/de/cgi-bin/searchscr?cmd=_sitewide-search

Screenshot: picturepush.com/public/13144090

Unfortunately PayPal disqualified me payment
because of being 17 years old ...

PayPal Site Security:

“To be eligible for the Bug Bounty Program, you * must not *:
... Be less than 18 years of age. If PayPal discovers that a researcher does
PayPal will remove that researcher from
the Bug Bounty Program and disqualify them from receiving any bounty
payments. "

I don’t want to pay
you are not interested in security
researchers ...

Best regards,

Robert Kugler

By the way, such programs from Mozilla and Google allow you to receive remuneration to participants under the age of 18, with the consent of the parents.