Bug Bounty Program

For Professional Researchers: Bug Bounty Program

Our team of dedicated security professionals works vigilantly to help keep customer information secure. We recognize the important role that security researchers and our user community play in also helping to keep the eBay family of companies and its customers secure. If you discover a site or product vulnerability please notify us using the guidelines below.

Program Terms

Please note that your participation in the Bug Bounty Program is voluntary and subject to the terms and conditions set forth on this page (“Program Terms”). By submitting a site or product vulnerability to eBay Inc. or its family of subsidiary companies (“eBay”) you acknowledge that you have read and agreed to these Program Terms.

These Program Terms supplement the terms of the eBay User Agreement, the PayPal User Agreement, and any other agreement(s) in which you have entered with eBay Inc. and its family of subsidiary companies (collectively the “User Agreements”). The terms of those User Agreements will apply to your use of, and participation in, the Bug Bounty Program as if fully set forth herein. If there is any inconsistency exists between the terms of the User Agreements and these Program Terms, these Program Terms will control, but only with regard to the Bug Bounty Program.

You can jump to particular sections of these Program Terms by using the following links:

Responsible Disclosure Policy

Eligibility Requirements

Bug Submission Requirements and Guidelines

Ownership of Submissions

Eligible Domains

Bounty Payments

Wall of Fame

Termination

Confidentiality

Indemnification

Changes to Program Terms

Submit a Bug to PayPal or Magento

Responsible Disclosure Policy

To encourage responsible disclosures, eBay commits that, if we conclude, in our sole discretion, that a disclosure respects and meets all the guidelines of these Program Terms and the User Agreements, eBay will not bring a private action or refer a matter for public inquiry.

Eligibility Requirements

To participate in the Bug Bounty Program, you must have a verified PayPal account in good standing in order to register for the Bug Bounty Program and be eligible to receive Bounty Payments (described further below). Alternatively, if you do not have a PayPal account, you may elect to submit reports via email, but you won’t be eligible for a Bounty Payment. If you do not currently have a PayPal account, you can sign up for one here.

To be eligible for the Bug Bounty Program, you must not:

  • Be a resident of, or make your Submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan and Syria);
  • Be employed by eBay, Inc. or its subsidiaries
  • Be an immediate family member of a person employed by eBay, Inc. or its subsidiaries; or
  • Be less than 18 years of age.

If eBay discovers that you do not meet any of the criteria above, eBay will remove you from the Bug Bounty Program and disqualify you from receiving any bounty payments. Any submissions you make to eBay, whether via your Bug Bounty Program account or via email shall be considered “Submission(s)” for purposes of these Program Terms.

Bug Submission Requirements and Guidelines

If you are a security researcher who has discovered a site or product vulnerability on a qualifying domain and would like to participate in the Bug Bounty Program, you can send us a submission by logging into and participating in the Bug Bounty Program located at PayPal

In researching vulnerabilities on eBay’s sites, you may not engage in testing that (i) results in a degradation of eBay systems, (ii) destroys eBay or customer data, or (iii) may impact eBay customers, such as denial of service, social engineering or spam.

You may not publicly disclose your findings or the contents of your Submission in any way without eBay’s prior written approval.

Failure to follow these guidelines will result in immediate disqualification from the Bug Bounty Program and ineligibility for receiving any bounty payments. 

Ownership of Submissions

As between eBay and you, as a condition of participation in the eBay Bug Bounty program, you hereby grant eBay, its subsidiaries, affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferrable, sublicensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to eBay in connection therewith, for any purpose. You should not send us any Submission that you do not wish to license to us.

You hereby represent and warrant that the Submission is original to you and you own all right, title and interest in and to the Submission.  Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure of the Submission to eBay. In no event shall eBay be precluded from discussing, reviewing, developing for itself, having developed, or developing for third parties, materials which are competitive with those set forth in the Submission irrespective of their similarity to the information in the Submission, so long as eBay complies with the terms of participation stated herein.

Eligible Domains

The Bug Bounty Program is valid for specific eBay and eBay-subsidiary websites listed in the Eligible Domains Policy, as updated from time to time and listed within the current PayPal and Magento

Bounty Payments

You may be eligible to receive a monetary reward, or “bounty,” if: (i) you are the first person to submit a site or product vulnerability; (ii) that vulnerability is determined to by a valid security issue by eBay’s security team; and (iii) you have complied with all Program Terms.

Bounty payments, if any, will be determined by eBay, in eBay’s sole discretion.  In no event shall eBay be obligated to pay you a bounty for any Submission. All bounty payments shall be considered gratuitous.

In the event eBay elects to pay you a bounty, eBay may make a partial payment when the vulnerability is first verified by eBay and then an additional payment once the vulnerability has been fixed.  The format and timing of all bounty payments shall be determined in eBay’s sole discretion.

All bounty payments must be made to a verified PayPal Account in good standing. If you do not have a verified PayPal Account in good standing at the time of payment, you will not be eligible to receive a bounty (except in extraordinary circumstances agreed to by eBay via email from the Bug Bounty Program team).

All bounty payments will be made in United States dollars (USD).

Estimated payout ranges+ (in USD) for in-scope vulnerabilities are illustrated here – PayPal and Magento Bug Bounty Payments Payout Ranges.

Wall of Fame

In an effort to provide recognition to research partners, from time to time eBay may feature persons who have made significant contributions. Where selected, and upon mutual written agreement regarding acceptable attribution (email being sufficient), you hereby grant eBay the right to display the display name and/or attribution information on eBay’s Wall of Fame and such other media as eBay desires to publish. Either party may elect to no longer participate or publish contribution information. eBay has the right to remove contribution information of any person that at any time does not comply with the Program Terms or the terms of User Agreements.

Termination

In the event you breach any of these Program Terms or the terms and conditions of the eBay Agreements, eBay may immediately terminate your participation in the Bug Bounty Program and disqualify you from receiving any bounty payments.

Confidentiality

Any information you receive or collect about eBay or any eBay user through the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the eBay sites, without eBay’s prior written consent.

Indemnification

In addition to any indemnification obligations you may have under the eBay Agreements, you agree to defend, indemnify and hold eBay, its subsidiaries, affiliates and the officers, directors, agents, joint ventures, employees and suppliers of eBay, its subsidiaries, or our affiliates, harmless from any claim or demand (including attorneys’ fees) made or incurred by any third party due to or arising out of your Submissions, your breach of these Program Terms and/or your improper use of the Bug Bounty Program.

Changes to Program Terms

The Bug Bounty Program, including its policies, is subject to change or cancellation by eBay at any time, without notice. As such, eBay may amend these Program Terms and/or its policies at any time by posting a revised version on our website. By continuing to participate in the Bug Bounty Program after eBay posts any such changes, you accept the Program Terms, as modified.

PayPal Bug Bounty Scope Information

Magento Bug Bounty Scope Information

Submit a Bug to PayPal or Magento

 

eBay.com submissions are currently not in scope for this Bug Bounty Program