To encourage responsible disclosure, we commit that - if we conclude that a disclosure respects and meets all the guidelines outlined below - we will not bring a private action or refer a matter for public inquiry.
Their guidelines include some subjective language, so I'm not sure how much protection this policy actually offers. (Any lawyers want to clarify?) Here they are:
Share the security issue with us before making it public on message boards, mailing lists, and other forums.
Allow us reasonable time to respond to the issue before disclosing it publicly.
Provide full details of the security issue.
PayPal also describes what not to do:
Potential or actual denial of service of PayPal applications and systems.
Use of an exploit to view data without authorization, or corruption of data.
Requests for direct compensation for the reporting of security issues either to PayPal, or through any external marketplace for vulnerabilities, whether black-market or otherwise.
If you're like me, some questions come to mind. How much time is reasonable? Since data can be anything, how do we know if we view data without authorization? Don't most people assume they're authorized to view something if they're allowed to view it? Does intent matter?
Questions aside, here's hoping this is a genuine attempt to do the right thing. Thanks, PayPal.
To my fellow Americans, have a wonderful Thanksgiving holiday! To everyone else, have a nice rest of the week. :-)