It seems like Paypal is running out of Money in its Bug Bounty budget. Bug Hunters started to report that the Paypal stopped to give Bounties.
Recently, a security Researcher Mahadev Subedi discovered two xss vulnerabilities in one of the Paypal domain(paypal-marketing.com.hk) and sent notification to PayPal.
But Paypal responded "we have determined that these bugs are not eligible for payment based on the fact the website is in the process of being decommissioned and will be shut down in the near future."
Mahadev discovered Post-based Cross site scripting in the Two pages of Paypal-Marketing domain : 1. paypal-marketing.com.hk/merchant-enquiries/index.php, 2.paypal-marketing.com.hk/merchant-enquiries/index-zh.php. POCs for these vulnerabilities can be found here.
Researchers say that Paypal is stopped to give bug bounty because they have paid a lot to low priority bugs.
*Update*:
Bug Hunter Harsha Vardhan Boppana asked PayPal about this issue and they responded with this mail:
Sites to be decommissioned in coming months:
Recently, a security Researcher Mahadev Subedi discovered two xss vulnerabilities in one of the Paypal domain(paypal-marketing.com.hk) and sent notification to PayPal.
But Paypal responded "we have determined that these bugs are not eligible for payment based on the fact the website is in the process of being decommissioned and will be shut down in the near future."
XSS vulnerability in Paypal-marketing |
Researchers say that Paypal is stopped to give bug bounty because they have paid a lot to low priority bugs.
*Update*:
Bug Hunter Harsha Vardhan Boppana asked PayPal about this issue and they responded with this mail:
Our second party hosted sites (www.paypal-*.com) are mainly marketing based sites that are not part of the core Paypal domains (*paypal.com) and are managed by hosting vendor companies. They do not retain as long a life cycle as the core domains and can have a more volatile timeline as many are tied to projects and regional initiatives. For your own reference, I have provided you a list of sites currently in process of being decommissioned and therefore not eligible for Bug Bounty processing.
Sites to be decommissioned in coming months:
- paypal-deutschland.de
- paypal-danmark.dk
- paypal-promo.es
- paypal-europe.com
- paypal-france.fr
- paypal-nederland.nl
- paypal-norge.no
- paypal-marketing.pl
- paypal-sverige.se
- paypal-turkiye.com
- paypal-business.co.uk
- paypal-marketing.co.uk
- paypal-shopping.co.uk
- paypal-australia.com.au
- paypal-biz.com
- paypal-business.com.hk
- paypal-marketing.com.hk
- paypal-offers.com.hk
- paypal-shopasia.com
- paypal-japan.com
- paypal-apac.com
- paypal-plaza.com
- thepaypalblog.com
- www.paypal-brasil.com.br
- paypal-marketing.ca