Re: PayPal.com XSS Vulnerability

[Vulnerability Lab <research () vulnerability-lab com>]

Let me provide an answer regarding the conversation of the young
researcher < Paypal and the 13 more paypal xss post.

Priority #1 - PayPal checks if all rules are successful granted
Priority #2 - PayPal checks & validate the issue

#1 The guy did not read the participation rules and made at the end a
full disclosure for fame
#2 The issue was already reported and paypal is preparing a patch with
priority influence

If you do not want to see or accept the truth ... you should as minimum
grant the researcher the credits.
The little indian forcer scene from the govt with the mohit kumar
mythology wants there bugs patched within one day
and tomorrow get a payout but in the real world this is not possible
easily. They also have concepts to prevent and
check the affects of patches and co.

In this case the little guy had no knowledge about the issue was already
reported multiple times and the others was all silent.
At the end he lost all ... he got no money, his bug got not accepted and
he will not get anymore the possibility to report future issues because
he broke the policy with a full disclosure for no reason.

I will continue to report my issues to paypal to get bug bounty rewards
since yet all was correct.
When i saw the news i was a bit stunned how evil the news groups
published the news against paypal since the facts are on the table.

~bkm

-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research () vulnerability-lab com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/