I'm not sure which people at PayPal are going to take the blame for this little fiasco, but it would be interesting to know what they were thinking.
A 17-year-old German student found a significant security vulnerability on PayPal’s website, and when he revealed the issue to the company, expected to be rewarded.
But PayPal refused to pay Robert Kugler a Bug Bounty, telling him he was too young to participate in the company’s program that rewards people who find glitches in the system. TechWeek Europe reported that Paypal defended its actions in not paying the bounty because of Kugler’s age and because the bug had already been found.
First of all, they are generating bad press over a topic tangentially related to their existing PR problem of being seen as a company that refuses to pay people money they are owed. But perhaps more importantly, while the bug in this case may not have been critical PayPal is signaling to other hackers that they are not necessarily reliable in their bug bounty program when there are plenty of other people out there willing to buy information on PayPal's bugs.