The crowd-sourced approach is more efficient for companies, since they benefit from having many pairs of eyes on their operations. One study showed the rewards given out work out to be cheaper than hiring more full-time security staff.
Instead of payment, EBay recognizes researchers if they responsibly disclose flaws and do not publish public information before a flaw is patched. A long list of contributors is on its Responsible Disclosure Acknowledgement Page, and Ali is among them.
Joshua Rogers, a teenager who lives in Melbourne, said he started looking around eBay's website just prior to the data breach because he was bored. Rogers is notable for finding a SQL injection flaw late last year in the website of Public Transport Victoria, which runs that Australian state's transport system.
He said via email he's found several cross-site scripting vulnerabilities and an information leakage flaw in eBay. He also found a SQL injection vulnerability, which was fixed by eBay about four days ago.
But he wrote "we are aware that active content may be also used in abusive ways."
EBay's security system detects when malicious code is inserted on the website, and it bans the use of some kinds of active content, Moore wrote. Product listings that have malicious content are removed.
One problem involving Flash was reported to eBay last week by 19-year-old Jordan Lee Jones, who lives in Stockton-on-Tees, U.K. The flaw allowed him to upload shellcode to eBay's network, which would have allowed him to deface part of the website or download the backend database.
Moore said eBay is working on a fix.
Sign up for CIO Asia eNewsletters.