A 17-year-old student from Germany is claiming that PayPay has denied him the reward for discovering a flaw in its website.
Many companies such as Google and Facebook have reward programs in exchange for privately reported problems. These incentives aim to allow the company to fix the problems before hackers exploit them.
Robert Kugler detected a cross-site scripting flaw on PayPal’s site that hackers could use to steal information or run malicious code.
According to pcworld.com, Kugler informed PayPal of the site’s vulnerability on May 19. The company responded that because he’s under 18 years of age, he does not qualify for the Bugs Bounty Program.
PayPal outlines the terms and conditions for its Bugs Bounty Program on its site, which include no mention of age restrictions.
Facebook and Google also don’t have any age restrictions in their terms and conditions. They’ll pay a 12-year-old anywhere from $500 to $20,000 for detecting a bug that could have potentially ruined the sites in the near future.
Kugler said that despite his age, he has received numerous awards for finding vulnerabilities. He was paid $1,500 by Mozilla for finding a flaw in the Firefox browser last year.
Even if he doesn’t get any money from PayPal, Kugler would at least like to see some documented acknowledgement of his contribution to the site.
As of now, he hasn’t received anything.