WOW! Paypal Sends Me 5000$ For A Command Execution Vulnerability

Update: 5000$ was the initial payment, Paypal payed another 5000$ which makes the total bug bounty of 10,000$ for the command execution vulnerability - 

PayPal Pays Me A Total Bounty Of 10,000 For The Command Execution Bug

Today when i logged into my Gmail account, I saw Paypal sent me 5000$  for my command execution bug i reported on one of it's subdomains, That's constituted a huge risk to the organization, since an attacker could have easily managed to execute any command on the server. Therefore the bug was extremely critical, however Paypal took more than 2 months to sort it out.
I cannot write more about the vulnerability per the terms of the bug bounty program.
Along with the command execution vulnerability, i was paid 500$ for an XSS vulnerability that i found on Paypal main domain, further more i was also paid for an information disclosure. So in total they sent me an amount of 6000$.

More than 20 of my bugs are still being validated by paypal.

Last week, i was offered by Paypal for a job as a Senior Pentester A.K.A SecurityNinja. kindly look at the screen shot below:

Subscribe to our Newsletter and receive updates directly via email - Get Ethical hacking and security tips directly to your inbox. Alternatively you can Join our Hackers Community on Facebook , Google+ and Twitter .

At RHA Infosec we provide different types of Security Testing from small business sites to Corporate Sites. Click Here to know more about our complete list of services.

Subscribe to RHA

Enjoyed this article?
Subscribe to "Rafay Hacking Articles" and get daily updates in your inbox for free!


Kindly Bookmark it and Share it with Friends:


  1. Good Job! Nice to see also others winning in the bug bounty scene. Maybe it is a wise decision to take the job.
    ~Benjamin Kunz Mejri @ Vulnerability-Lab

  2. Man this is so cool.Keep up the good work.And also enjoy 6000$.

  3. Congratz man.! Ur d best among all! I idolize you man.gud job!!

  4. @John And Zeeshan

    Thanks for wishes.

    @Anonymous 3

    Thanks, Well i am in the middle of bachelors, i will surely think about it, when i complete it.

  5. Assalam o Alaikum:
    Lots of congratulations, may Allah bless u with much more. I wish u and others having capabilities "serve PAKISTAN". This is cyber age n PAKISTAN has to face much more challenges.
    May ALLAH grant us wisdom.

  6. Lots of Best wishes bro! You are my superstar! I love your articles! You are the best hacker damn it! I wish I were just 1% intelligent in computers as compared to you!

    Best Regards From Whole Team of

  7. Congratulations about the reward. Atleast it's good to see that Facebook, Paypal, Amazon and other companys have changed their policy on pentesters. Atleast a month ago they used to say "Sorry, this vulnerability has been discovered by someone else already and you're not eligible for the reward" to everyone and after THN published a article on that, they changed it. :)

    You're definetly a really great hacker with huge knowledge package and that's what it requires to get into the Security ninjas. Too bad that you're still teaching your readers about hacking facebook accounts and cracking Cpanels, but all these tutorials have one common thing ; They're teaching how to use a tool.

    Aren't you teaching real hacking to your readers because you're afraid that publishing this kind of "hardcore pentesting" tutorials will increase the amount of people who really are eager to learn real penetration testing and that will cause more high profile defaces in the future?

    Anyway congratulations about the reward.
    Greetings from Rynaldo. :)

  8. @Muhammad Abdullah

    Thankyou very much for your compliment. Stay in touch.

  9. @Mehul Mohan

    Thankyou very much for your appreciation, i believe their are lots of people who are more smarter than me, I just give my best shot.

  10. @Rynaldo

    Thanks for your comment, I really don't fully agree with the article that THN wrote, I myself being a security researcher know lots of people, who send bulk of vulnerabilities to paypal, with so much competition, their is a huge chance that vulnerabilities can go duplicate. Moreover people use automated vulnerability scanners that are good at detecting Information disclosure, therefore vulnerabilities can go duplicate.

    Regarding your second question, I do teach some advanced topics, but every thing is based upon readers, I constantly try to take feedback from readers regarding what they wanna post me. Most of them suggest Facebook hacking, I have also posted some advanced stuff, that rarely receive any comments, so therefore i need write what is requested by readers.

    Regarding the use of tools, i have a different opinion regarding it, Even a pro will use tools, because they save time and make work easier. However, manual verification is required too. It doesn't matter if a hacker writes a buffer overflow and someone else uses it to compromise a system, The output is what matters the most in Pentesting world.

  11. Congratz Rafay Baloch for this achievement!!!

    Plz mail the concerned paypal personnel to allow paypal in pakistan. It will be beneficial for all internet marketers in pakistan.

  12. Congrates dude.. Keep It Up.......!!

  13. Congratulations Rafay....and keeps on glowing.

  14. Best of luck..good to see you on newspapers.

    Keep it up.

  15. @anonymous 18

    I'll take a look at it, b/w is it a epaper?

  16. Keep it up and well done!


Blog Archive


Recent Comments


Rafay Baloch is an Independent security researcher, Internet marketer, Entrepreneur and a SEO consultant, He is the founder of RHA blog and multiple other blogs. Rafay got famous after finding a Remote Code Execution bug inside PayPal for which PayPal awarded him a sum of 10,000$ Read More..

Join In!

RHA © 2013. All Rights Reserved.