<![CDATA[[SecurityRatty] tag: paypals]]> http://securityratty.com/tag/paypals Tue, 27 Nov 2007 15:07:00 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[Personal Plug: I'm hiring]]> http://securityratty.com/article/d1457e6103634dacb007af63ca4c1438 http://securityratty.com/article/d1457e6103634dacb007af63ca4c1438
Specifically - I'm hiring an Application Security Researcher.

Primary responsibilities will be:
  • Lead Research on browser security models
  • Research new application security attacks and countermeasures
  • Develop prototypes of security protection mechanisms for browsers and PayPal software to implement and prove application security ideas
  • Conduct web application security assessment
  • Participate in the development, review, and update of application security standards
  • Work with PayPal’s SDL group to improve the security of PayPal developed applications
  • Research new development techniques
  • Research new development, languages, testing methodologies, and frameworks to improve the security of PayPal applications.
If you're interested in other security positions we also have open, please go to: http://www.ebaycareers.com/

You can search for jobs with the keyword "security" under PayPal. Brassring makes posting a whole list of positions tricky.]]> Fri, 13 Jun 2008 08:55:00 +0000 browser security models security application security standards security protection mechanisms application security attacks information security team application security researcher applications paypal applications Personal Plug: I'm hiring <![CDATA[Some Comments on PayPal's Security Vulnerability Disclosure Policy]]> http://securityratty.com/article/bddee49bc02f2f7e22e5aebc4dc60a70 http://securityratty.com/article/bddee49bc02f2f7e22e5aebc4dc60a70 several places that have written about this policy in the last few days.

I was personally involved in crafting the policy and while I can't make commitments or speak officially for PayPal I thought I'd take a few minutes to explain our thinking on a few of the items in the policy.

First, a few points. PayPal didn't have a great system for reporting security issues until this new policy came out. Our goals in creating and publishing the policy were several:
  • Improve the security of our site by getting security issues disclosed to us responsibly.
  • Create an easy mechanism for people to report a security vulnerability to us. We chose email since we figured security researchers would like it better than a form.
  • Create incentives for disclosure and remove disincentives (threat of legal liability)
  • Make clear our expectations in these areas, since this is a new and evolving area of security vulnerability disclosure with more than a little legal uncertainty.
  • Through our policy - set a standard we hope others can follow.
We carefully constructed the language in the policy with our privacy lawyers to ensure that we were not over-promising with respect to legal liability. We looked at other disclosure policies, and we settled on the policy you can find here.

A few specific notes are in order:

  • We will revise the policy over time based on user feedback.
  • We are serious in our commitment to rapidly address any discovered security issues with the site. Our language around reasonable timeframe is slightly vague because we don't want to over-promise on how quickly we can resolve an issue.
  • We do expect to get back to researchers quickly with confirmation of a reported issue and tracking data on how we're doing resolving it.
Let me now address a few concerns/comments people have specifically raised.

Chris Shiflett said:
Since data can be anything, how do we know if we view data without authorization? Don't most people assume they're authorized to view something if they're allowed to view it? Does intent matter?
While we don't want users to test the security of the PayPal site, should they do so they should be careful to minimize the disruption caused by their testing. If you start tinkering with URLs to see whether you can view certain data, do it between two accounts you control, don't try to view other people's data. There is a fine line between testing responsibly and irresponsibly and we're encouraging people to stay on the more responsible side of the line.

From Don's post:
I got a creepy feeling about actually trusting the statement. I will probably never attempt to test the security of PayPal’s site, but for those who do I would hate for the disclosure statement to change suddenly.
As I said earlier, we do believe the policy is a work in progress. We will modify it from time to time to allay concerns, improve its effectiveness, etc. Our goal however is to encourage responsible disclosure. I hope that intent behind the policy is enough to allay people's potential fears.

One final note on the statement - "Allow us reasonable time to respond to the issue before disclosing it publicly." We struggled over the wording on this more than any other element of the policy. It is a tricky business to get the right balance between early disclosure, our commitment to protect our customers and their data, and people's desire to know about the security of a given website or service. That said, we're committed to working with researchers when an issue is reported to us and we'll decide reasonable on a case-by-case basis.

We're hoping that this policy strikes a good balance between our desire for responsible disclosure, and not discouraging researchers from coming forward.

Again, I'm not a spokesperson for PayPal, so this post naturally represents my personal beliefs about this policy not a firm binding statement of company policy. That said - I welcome your comments.]]> Tue, 27 Nov 2007 15:07:00 +0000 disclosure encourage responsible disclosure responsible disclosure security security vulnerability disclosure policy security vulnerability disclosure policies disclosure statement Some Comments on PayPal's Security Vulnerability Disclosure Policy