Update: 11.28.2007: Security Retentive, a PayPal employee who was personally involved with crafting the language of their disclosure policy, responds to public comments.
Update 11.21.2007: Kelly Jackson Higgins posted a story covering the post.
Very few website owners post how security researchers may contact them with regard to a discovered vulnerability. This seems odd since most experts believe the vast majority of website contain them. Microsoft, Yahoo, Google, and now Paypal have their contact policies posted. The rest of the Alexa 500, if they have a posted policy, is extremely hard to find.
PayPal’s newly posted vulnerability disclosure policy though should be given special attention because they’ve done something unique in that and in my opinion very intelligent security-wise. If the security research follows their stated procedure, which is entirely reasonable, PayPal states plainly that they’ll not engage legal action! This should given the researcher confidence that nothing bad is going to happen to them as a result. I think this is first, and if not, I’ve never seen it.
“To encourage responsible disclosure, we commit that – if we conclude that a disclosure respects and meets all the guidelines outlined below - we will not bring a private action or refer a matter for public inquiry.”
This indicates that PayPal understands that security researchers are the good guys, but they are wary of disclosing website vulnerabilities to them for fear of legal issues. As a result researchers may choose to either not disclosure AT ALL or anonymously post it to a public forum like has been done so many times on sla.ckers.org. This way they are personally protected, but the problem is that this puts PayPal and their customers in a bad position.
PayPal either doesn’t get the vulnerability data they need at all, waiting for a bad guy to find the exact same thing and exploit it – or they have to do fire drill once it’s made public. And they might not see it published right away causing a time lag. PayPal would much prefer the opportunity to handle the issue in a timely fashion and has no interest in pursuing the matter further because there is really no benefit to it. Legal entanglements only prevent the good guys from being responsible and don’t deter the real bad guys one bit. And PayPal would know given the nature of the business.
PayPal sets a good example, hopefully other website owners will take notice and do the same.