The Federal Labor Standards Act has provisions about anyone under the age of 18 working for companies whose revenue is greater than $500,000. It sucks to be a kid for a lot of reasons.
This kid just blamed Paypal for one of our country's many idiotic federal laws.
This choice should be considered a career limiting decision by any hiring manager.
I find the meaning and knowledge of laws to be inaccessible overall as a 18+ citizen. I'm not American, but who for instance knew that there were "provisions" under the Federal Labor Standards Act?
It makes me angry, but the law here in the US is that "ignorance is not a defense." Oh... you didn't know our several million laws when you broke one? Too bad, they say. Lawyers counter that if the law was simpler, they wouldn't have jobs.
Still very poorly handled. Should've gone something like:
1. "Hey, that's awesome that you found that, thanks!"
2. "For very good reasons (a), (b) and (c) we can't actually pay you, that really sucks :("
3. "But hey we like your style, so how about we fly you over for an internship when you've finished school / investigate if Germany has different rules / look at scholorship options and a great reference / [one of a million other things you could do to help a kid out"
IANAL.. but I can't see how asking a parent to represent him would relieve PayPal of complying with labor standards for minors... he's still the one doing the work.. and advising him to have a parent represent him is just written proof that they knew.
"This choice should be considered a career limiting decision by any hiring manager."
Hopefully not forever. When I was young and stupid and the net was a much simpler place I casually fully disclosed the problem with posting your Cisco configs with "encrypted" passwords to Usenet:
I would not do something like this today, especially not in such a full-of-myself douchey manner.
Sadly a lot of postings to the internet are basically "forever" at this point and combined with the insistence of so many companies that real names be used, we're going to have generations of younger folks who say or do something stupid (because they are young and stupid) that they can never get rid of. And that's unfortunate.
I completely agree. I also think that this kind of post on full-disclosure should be used as an example of what-not-to-do.
I've always treated vuln reward programs as resume enhancers. If you submit a bug and get it fixed, you get to show two incredibly valuable and rare skills in the infosec community:
1) technical chops
2) interpersonal skill
Disclosers who have the patience to endure some of the bullshit that comes up in these programs are going to be successful in the security industry. The hardest problems in infosec are not technical. They are cultural. Publicly flaming a vuln reward program because they didn't pay you for what you see as an arbitrary reason is exactly the kind of reason execs do not want to do vuln reward programs. Someone had to fight to get that program set up at paypal. It had to be within the laws of the country that governs the company. This kid just through a temper tantrum in public and signed his name on the email. Any advocates he had at paypal are probably re-evaluating their support of him. So short sighted.
just an FYI, you can (even if you don't have the email anymore) get old posts removed from google groups, you have to jump through a bunch of hoops, but it isn't too hard to do. Just read around. I had to cover for 18 year old me posting god knows what on usenets several years ago. I did this when google first bought deja news however, you can likely get them to remove it.
who knew people were saving stuff back in 94-95. hell anyway 18 year old me didn't care, but luckily I can cover for him.
The Fair Labor Standards Act places no limitations on the work of 16 and 17 year olds in non-hazardous jobs, and in any case does not concern itself with non-employment relationships like the one Paypal would have had with this 17-year-old.
There is a reason that you read about minors running their own businesses all the time. The laws are targeted at employment that is exploitative or interferes with a child's education. Not at things like this.
Or, pay him via his parents. Somehow we manage to have child actors get paid by movie studios; there must be a way for them to be able to pay children bug bounties, if they actually wanted to.
How do those apply in Germany? Do all subsidiaries in all countries have to follow FLSA? I assume Paypal's German subsidiary is only responsible for following German employment law.
