PayPal.com Cross Site Scripting

`Hello all!  
  
I'm Robert Kugler a 17 years old German student who's interested in  
securing computer systems.  
  
I would like to warn you that PayPal.com is vulnerable to a Cross-Site  
Scripting vulnerability!  
PayPal Inc. is running a bug bounty program for professional security  
researchers.  
  
https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues  
  
XSS vulnerabilities are in scope. So I tried to take part and sent my find  
to PayPal Site Security.  
  
The vulnerability is located in the search function and can be triggered  
with the following javascript code:  
  
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";  
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--  
></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>  
  
https://www.paypal.com/de/cgi-bin/searchscr?cmd=_sitewide-search  
  
Screenshot: http://picturepush.com/public/13144090  
  
Unfortunately PayPal disqualified me from receiving any bounty payment  
because of being 17 years old...  
  
PayPal Site Security:  
  
"To be eligible for the Bug Bounty Program, you *must not*:  
... Be less than 18 years of age.If PayPal discovers that a researcher does  
not meet any of the criteria above, PayPal will remove that researcher from  
the Bug Bounty Program and disqualify them from receiving any bounty  
payments."  
  
I don’t want to allege PayPal a kind of bug bounty cost saving, but it’s  
not the best idea when you're interested in motivated security  
researchers...  
  
Best regards,  
  
Robert Kugler  
`