PayPal Groks Security?

21 Nov 2007

Via Jeremiah, I see that PayPal's new vulnerability disclosure policy includes an amnesty clause for well-intentioned security researchers:

To encourage responsible disclosure, we commit that - if we conclude that a disclosure respects and meets all the guidelines outlined below - we will not bring a private action or refer a matter for public inquiry.

Their guidelines include some subjective language, so I'm not sure how much protection this policy actually offers. (Any lawyers want to clarify?) Here they are:

PayPal also describes what not to do:

If you're like me, some questions come to mind. How much time is reasonable? Since data can be anything, how do we know if we view data without authorization? Don't most people assume they're authorized to view something if they're allowed to view it? Does intent matter?

Questions aside, here's hoping this is a genuine attempt to do the right thing. Thanks, PayPal.

To my fellow Americans, have a wonderful Thanksgiving holiday! To everyone else, have a nice rest of the week. :-)