Why PayPal Has a Bug Bounty Program, and How It Works

Part 1 | Part 2

Sri Shivananda: At PayPal, we are in the business of trust – and trust is built on people feeling secure. We provide peace of mind to our customers by working hard to protect their credentials and their money, so they can be confident when they use our services. And while we may offer different products over time, that underlying relationship of trust is all built on a solid foundation of security. We invest a lot in building secure platforms, creating strong defenses and protective systems, but we also know that there is a broader community of experts that can also help us. That’s why we have a way for smart and passionate people outside the company to collaborate with us and help us make our products and services more secure. Ray, can you tell me about how we do this?  

Ray Duran: We do have an amazing security team at PayPal. We augment their talents with our bug bounty program which we manage in partnership with HackerOne. This helps bring us an incredible level of diversity and collaboration with the broader security research community. Researchers (or ethical hackers) bring us perspectives—geographical, cultural, life experiences— that help identify potential threats.  

Sri: We think of security as ‘priority one’. We make a very large investment in it, and we have some of the most talented security professionals. So why is it important for us to engage with this global community of hackers? 

Ray: There are about 600,000 researchers on the HackerOne platform. Of those, we work with about 1,000 in total and have a community of 20-30 external researchers that are dedicated to PayPal.  

Many hackers have expertise in areas that are valuable to us. Researchers often have relevant or highly specialized prior experience. Maybe they have considerable experience working with a certain component in Python or Node.js, or perhaps they are even the original developer of the code. This allows us to tap into people who have a microfocus in a specific area that can bring a fresh perspective and help secure our services.    

Sri: With many companies running similar programs, why would a hacker want to work with us, versus others? 

Ray: Well for one, we have one of the higher bounty pools. Also, we try to be as transparent as possible around scope, communicating about why we make certain decisions and using objective measures like CVSS (Common Vulnerability Scoring System) to help share logistically why something may or may not have been accepted into the program. 

Sri: I know our program terms dictate what is and what is not considered a bug, thus determining what can qualify for bug bounty submissions. One of those out-of-scope issues is a hack resulting from stolen credentials (be it a stolen credit card, login information, bank account information) otherwise known as a compromised account. If those are out of scope for bug bounty submissions, how should ethical hackers go about reporting those types of issues, and how do we treat them?  

Ray: We take all bug bounty submissions seriously and we review each with great scrutiny. When we close a bug because we determine that a submission does not pose a threat to our customers, it’s not a decision that we take lightly.  

Stolen credentials are an unfortunate reality given the many well-publicized data breaches impacting consumers and the world of fraud in general. But we don’t triage these issues as bugs because even if fraudsters could use these credentials to gain access, they can be addressed by our fraud and risk teams and sophisticated anti-fraud platforms. We set the standard for fraud prevention by leveraging our two-sided network to minimize fraud across major payment types and channels – including online, offline and mobile. In addition to thwarting fraudulent activity, we combine advanced data science and a robust team of analysts to better understand consumer behavior. This helps us identify good behavior to minimize decline rates and ensure a smooth payment experience.  

Our Buyer and Seller Protection also help make our customers whole should their accounts be compromised and if they lose money due to unauthorized transactions on eligible purchases or sales.   

Sri: Do we run this program ourselves?  

Ray: Our program is operated in partnership with HackerOne. They host our bug bounty submission portal and terms of service so researchers can see all the details of the program, including bug bounty payouts, how to ask questions, etc. Our internal bug bounty team makes all final decisions, and HackerOne provides us access to a network of reputable security researchers, helps with triaging through bug submissions, and managing duplicate bug reports.   

Sri: On the one side, companies want to run these programs and get the benefit from the global community of ethical hackers. On the other hand, hackers across the globe can go and look for exciting things to work on. I think in one of the reports I have seen, only 15 percent of ethical hackers actually do this for the money. Most of them want to work on challenging problems, or upskill themselves, or grow their career. HackerOne collectively – across all of the companies – pays out $60-80 million a year. How much did PayPal payout for bug bounties in 2019? 

Ray: Last year PayPal paid out just under $2 million, and we look forward to seeing that number climb in 2020.  

Part 1 | Part 2

#bugbounty #ethicalhacking