PayPal’s attempt to validate a user and prevent a scripting attack by using CAPTCHA was actually misconfigured, and created a vulnerability; granted the vulnerability was taking advantage of an outside cross-site request forgery where a user would be attempting to authenticate to PayPal from a malicious site. In this case, the attempt to mitigate a vulnerability by further validating the authentication was a person and not a script that created a problem. This shows that even layers of added security must be validated. Bug Bounties are a good way to encourage ethical disclosure of vulnerabilities, which gives organisations the time to patch the issue before it can be exploited or posted online for cybercriminals to use.  Read Less