PayPal rewards Pakistani student Rafay Baloch for reporting Bugs (Command Execution Vulnerability)
Last year, a Pakistani Independent Security researcher was awarded $ 10,000 for reporting remote code execution vulnerability inside PayPal. Rafay Baloch had been awarded $ 5,000 by PayPal, He identified a remote code execution vulnerability on www.paypal.com.
Rafay Baloch has written in his personal blog that, ”That’s constituted a huge risk to the organization, since an attacker could have easily managed to execute any command on the server. Therefore the bug was extremely critical; however PayPal took more than 2 months to sort it out,“
This genius had also identified a couple of cross-site scripting vulnerabilities and for that he had received an additional $1,000 that has already been addressed by the online payment processor.
Rafay Baloch has been offered a job as a security quality engineer at PayPal. Regarding the offer he said, He is currently doing his Bachelors and he will think about it when it’s completed. He still needs to learn more about it.
Rafay Baloch, has also helped various well-known industries like Microsoft, Ebay, Apple, Adobe, LastPass, Redhat, Barracudalabs, owncloud and so on.. He has reported various vulnerabilities inside their services and helped them to make their products more secure.
Some reference from Microsoft sites, as you can click to their official links:
He is also an author of two bestselling books:
- A Beginners Guide To Ethical Hacking (Details here)
- An introduction To Keylogger, RATS and malware (Details here)
Message for Hackers from this Master Mind
My message to the ones who have just stepped up in this field is that there is nothing wrong in learn hacking techniques, what makes it wrong is the way you use it. There is a misconception among people that hackers have good jobs overseas, this is all wrong, if you associate the word hacker with your name then no organization will hire you. As they would think that you might be posing risk to their organization. Don’t run after fame, it will just be for some time.
Instead if you are really interested in pursuing your career in information security, I would suggest you to build your skills. Go after some certifications such as CISSP, CEH, and CPTE etc. And start using your skills to help organizations make themselves secure, by reporting it to them.
Final Advice from Rafay Baloch:
My final advice to everyone is not to run after money or fame; it will eventually come to you, Just focus on building your skills. I never blogged for income, what I aimed at was readership. People follow you only when you offer something worth reading. I wish you all the best with your future endeavors and hope that this little post may motivate you to trigger your online journey right today. Jump inside the ring to battle the big giants out there who are still missing a great contender.