Case Study: PayPal achieves strong relationships with security researchers and improved security with HackerOne

PayPal On Creating Strong Relationships With Security Researchers

PayPal has run a public bug bounty program since 2012, paying more than $6 million to roughly 3,000 ethical hackers. The company’s challenge was building and maintaining strong, collaborative relationships with outside researchers while reducing subjectivity in scope, severity assessments, and payouts to improve program efficiency and trust.

PayPal addressed this by fostering two‑way communication and transparency with the HackerOne community, sharing methodologies, and encouraging high‑quality reports. Technically, they tied exact CVSS scores to fixed bounty amounts to remove ambiguity; combined with clearer reporting expectations, this led to faster remediation and payouts, stronger researcher engagement, and measurable improvements to PayPal’s security posture.

PayPal

Ray Duran

Information Security Engineer