This blog post was written and contributed by Ray Duran on behalf of the PayPal Bug Bounty team.
PayPal transitioned its Bug Bounty program to HackerOne in September 2018 and in that time has paid out more than $1.5 million in bounties and resolved over 300 vulnerabilities thanks to the 1,000+ hackers participating in our program. We’ve come a long way since our first year of Bug Bounty at PayPal, so we’d like to take a moment to reflect on our journey, share some exciting changes we’ve made to the program recently, and let you know about what’s to come.
A BRIEF HISTORY
In 2012 PayPal launched its first-ever Bug Bounty program. We were part of the first wave of tech companies to acknowledge the ethical hacker community and we established our Bug Bounty program as a way to interact with this community. Over the next seven years PayPal paid out more than $3,800,000 to roughly 2,000 ethical hackers who participated in our homegrown program. It grew to be one of the most active and competitive Bug Bounty programs in the world — something we worked incredibly hard to establish, maintain, and grow with the dedicated help of the hacker community.
By 2018 the concept of Bug Bounty programs had grown significantly in the industry, and large communities of hackers with diverse skill sets were growing rapidly. To engage an even larger community and uncover new talent, we decided to partner with HackerOne to continue growing our program.
JOINING FORCES FOR THE COMMUNITY
In September 2018 we joined forces with HackerOne, first inviting all actively contributing researchers from our existing program before opening the program to the public. Within the first six months, we received contributions from 890 researchers across 56 countries – more than double the amount of the prior six months.
"I've really enjoyed working on the PayPal program on HackerOne over the last year," said hacker Ron Chan, also known as ngalog. "The team is very responsive and always consistent. After working with them so much for so long, I feel like they have gotten to know me and my reporting style, and I've gotten to know them just as well. This helps us communicate even faster the more we work together and ultimately leads to quicker fixes and payouts."
We see contributors to our Bug Bounty program as an extension of the team, and we’re able to improve our security because of these dedicated individuals. Building relationships with hackers has been a priority since the beginning, and these relationships not only improve engagement but also humanize bug bounty and build better transparency in the security community.
Historically, security has been an opaque industry, without many shared learnings or collaboration happening outside of organizations. However, due to the efforts of the hacker community, platforms like HackerOne, and the companies that participate, times are changing. The bug bounty industry has introduced a culture of openness and we look forward to continued progress on this front. Through our partnership with HackerOne, we’ve enjoyed collaborating with other organizations to learn about how they’ve tackled similar situations, experimented, and evolved their programs. In turn, we’ve been active participants in product feedback and roadmap discussions to help influence HackerOne features and updates that serve our peers as well as the hacker community. Together, we can progress the security industry faster, and improve the bug bounty ecosystem, something our team is passionate about.
PAYPAL BUG BOUNTY ALL STARS
We’ve made great progress over the last eight years, but we still see it as just the beginning. As PayPal has made acquisitions, we’ve been able to add new assets to our scope. Most recently, we added Swift Financial to our program. These fall into the current bounty structure for the PayPal program and haven’t been part of past programs. Take a look and share your findings!
We’d like to thank all the hackers who have participated in the PayPal Bug Bounty program to-date, both on and off HackerOne. We want to send a special shout-out to our top 20 hackers over the last year — thank you for your dedication, collaboration, and relentless commitment to security. To commemorate this milestone, each of the top 20 hackers will be receiving a limited production physical challenge coin for their contributions to PayPal security.
Don’t see yourself on the list? Do you want a challenge coin? You still have a chance to earn a challenge coin too! We’re kicking off a special promotion starting today. For any hacker who reports a valid high or critical bug between September 26, 2019 (today) and October 10, 2019, we’ll send you a special edition challenge coin.
To learn more about the PayPal program and get hacking, visit https://hackerone.com/paypal.