Reports in paypal program: S.No Title Bounty 1 RCE via npm misconfig -- installing internal libraries from the public registry $30000.0 2 Bypass for #488147 enables stored XSS on https://paypal.com/signin again $20000.0 3 Stored XSS on https://paypal.com/signin via cache poisoning $18900.0 4 Token leak in security challenge flow allows retrieving victim's PayPal email and plain text password $15300.0 5 IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users $10500.0 6 DoS on PayPal via web cache poisoning $9700.0 7 XSSI on refer.xoom.com allows stealing email addresses and posting to Twitter on behalf of victim $3500.0 8 XSS [flow] - on www.paypal.com/paypalme/my/landing (requires user interaction) $0.0 9 [PayPal Android] Remote theft of user session using push_notification_webview deeplink $0.0 10 [Venmo Android] Remote theft of user session $0.0 11 Reflected XSS at https://www.paypal.com/ppcreditapply/da/us $0.0 12 Reflect XSS and CSP Bypass on https://www.paypal.com/businesswallet/currencyConverter/ $0.0 13 Unsafe deserialization leads to token leakage in PayPal & PayPal for Business [Android] $0.0