Security Ripcord

Companies are always changing their user agreements and public statements. After reading Jeremiah Grossman’s post on PayPal disclosure statement I got a creepy feeling about actually trusting the statement. I will probably never attempt to test the security of PayPal’s site, but for those who do I would hate for the disclosure statement to change suddenly. So, I have copied the statement, pasted it into a file, and determined the SHA-256 and SHA-512 values. I’m not sure if it is even useful, hopefully nobody ever needs it, but here it is just in case.

[user@localhost Development]$ cat paypal.txt
Reporting site security issues

Our team of dedicated security professionals works vigilantly to keep customer information secure. We recognize the important role that security researchers and our user community play in keeping PayPal and our customers secure. If you discover a site or product vulnerability please notify us using the guidelines below.

To encourage responsible disclosure, we commit that – if we conclude that a disclosure respects and meets all the guidelines outlined below – we will not bring a private action or refer a matter for public inquiry.

Guidelines for responsible disclosure

* Share the security issue with us before making it public on message boards, mailing lists, and other forums.
* Allow us reasonable time to respond to the issue before disclosing it publicly.
* Provide full details of the security issue.

Do not engage in security research that involves

* Potential or actual denial of service of PayPal applications and systems.
* Use of an exploit to view data without authorization, or corruption of data.
* Requests for direct compensation for the reporting of security issues either to PayPal, or through any external marketplace for vulnerabilities, whether black-market or otherwise.

Report security vulnerabilities to sitesecurity@paypal.com.
Our PGP key for reporting can be found here.

Forward spoof and phishing emails to spoof@paypal.com.
[user@localhost Development]$ sha256sum paypal.txt
c42f72aea29f3e558d835b6c5df943498429c3c4a2c81b531e462cea01e48716 paypal.txt
[user@localhost Development]$ sha512sum paypal.txt
b545c30ac6c1531160f19b9c9de0118f80f48fe7ebd0096a6f161ed4ed136d31e528e938b79b19db8a89edb90a8d45018e0d4d8c77b9f61994eada66440f05f8 paypal.txt
[user@localhost Development]$

Go forth and do good things,
Don C. Weber

Paypal, disclosure, assessment, web, Security Ripcord, Jeremiah Grossman

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.