Rafay Baloch, an independent security researcher out of Karachi, has been rewarded with USD 5,000 for reporting a remote command execution bug in PayPal’s website.
PayPal had announced this ”Bug Bounty” program for researchers, in which anyone could report a bug to win a reward from PayPal after validation.
Rafay on his blog writes that the bug he reported was very critical in nature and a huge risk to the PayPal, because an attacker could have easily managed to execute any command on the server.
Rafay claims to have been paid USD 500for an XSS vulnerability that he found on Paypal’s main domain, in addition to USD 500 for an information disclosure. Rafay claims that 20 of bugs reported by him are still being validated by PayPal.
Speaking with ProPakistani, Rafay Baloch said that he was approached by PayPal with a job offer lately, which he is not considering to take because of his studies.
Rafay has been previously acknowledged by Microsoft, ESET and eBay for reporting bugs and flaws in their systems.