About the Author

Chris Shiflett

Hi, I'm Chris, a web developer and a founding member of Analog. I live and work in Brooklyn, NY.

PayPal Groks Security?

Via Jeremiah, I see that PayPal's new vulnerability disclosure policy includes an amnesty clause for well-intentioned security researchers:

To encourage responsible disclosure, we commit that - if we conclude that a disclosure respects and meets all the guidelines outlined below - we will not bring a private action or refer a matter for public inquiry.

Their guidelines include some subjective language, so I'm not sure how much protection this policy actually offers. (Any lawyers want to clarify?) Here they are:

  • Share the security issue with us before making it public on message boards, mailing lists, and other forums.

  • Allow us reasonable time to respond to the issue before disclosing it publicly.

  • Provide full details of the security issue.

PayPal also describes what not to do:

  • Potential or actual denial of service of PayPal applications and systems.

  • Use of an exploit to view data without authorization, or corruption of data.

  • Requests for direct compensation for the reporting of security issues either to PayPal, or through any external marketplace for vulnerabilities, whether black-market or otherwise.

If you're like me, some questions come to mind. How much time is reasonable? Since data can be anything, how do we know if we view data without authorization? Don't most people assume they're authorized to view something if they're allowed to view it? Does intent matter?

Questions aside, here's hoping this is a genuine attempt to do the right thing. Thanks, PayPal.

To my fellow Americans, have a wonderful Thanksgiving holiday! To everyone else, have a nice rest of the week. :-)

About This Post

PayPal Groks Security? was posted on Wed, 21 Nov 2007 at 21:48:21 GMT.

2 Comments

1. Peter's GravatarPeter said:

Unfortunately as Paypal are owned by eBay I highly doubt that their intentions are good.

A couple of years ago I had my eBay account hacked and I managed to find an eBay phone number, they were more concerned about how I got their number than I was about the account being hacked. Whats more they told me account being hacked was not a security issue.

Wed, 21 Nov 2007 at 23:37:44 GMT Link

2. Andy Steingruebl's GravatarAndy Steingruebl said:

I have posted some commentary on the policy here:

http://securityretentive.blogspot.c...s-security.html

I helped write the policy so hopefully my post will be useful.

Wed, 28 Nov 2007 at 19:05:52 GMT Link

Post A Comment

Personal Details and Comment

Style Guide

Line breaks are converted to paragraphs. Also use:

  • <a href="" title="">text</a>1
  • <em>text</em>
  • <blockquote><p>text</p></blockquote>
  • <code>2  <?php  if ($foo) {      $foo = TRUE;  }  ?></code>
  1. Note: <code> can be used inline (e.g. in paragraphs) or in a block as shown. Include whitespace and newlines in blocks.

Please enter Chris (my first name) below. This is a primitive spam prevention technique, and I apologize for the inconvenience.

Preview and Submit

Upcoming Events

Brooklyn Beta

21 - 22 Oct 2010

At The Invisible Dog, Brooklyn, New York.

New Comments

Chris Shiflett wrote:

Hi John, How do you avoid race conditions with this? The findandmodify() command is atomic,...

Posted in Auto Increment with MongoDB
John Judy wrote:

How do you avoid race conditions with this? Once you get to a certain traffic volume two or more ...

Posted in Auto Increment with MongoDB
Chris Shiflett wrote:

Hey Ivo, Andrei is best suited to give a full response, since he's the one who researched this...

Posted in Auto Increment with MongoDB
Ivo wrote:

Although you did mention that you werent going to discuss the why, I can't think of a single vali...

Posted in Auto Increment with MongoDB
Stikkyfinger wrote:

Jon Gibbins plays a mean guitar? I'd be interested to know what he plays and what type of guitar ...

Posted in Hello, Analog

Browse Comments

Work and Books

Analog Essential PHP Security HTTP Developer's Handbook