Slashdot Mirror
Groupon Refuses To Pay Security Expert Who Found Serious XSS Site Bugs
Mark Wilson writes: Bounty programs benefit everyone. Companies like Microsoft get help from security experts, customers gain improved security, and those who discover and report vulnerabilities reap the rewards financially. Or at least that's how things are supposed to work. Having reported a series of security problems to discount and deal site Groupon, security researcher Brute Logic from XSSposed.org was expecting a pay-out — but the site refuses to give up the cash. In all, Brute Logic reported more than 30 security issues with Groupon's site, but the company cites its Responsible Disclosure policy as the reason for not handing over the cash.
I'm tired of these security experts holding these sites hostage. They should disclose these vulnerabilities to build a safer Internet, not to line their pockets.
If they really wanted to line their pockets, they'd sell them to the black hats.
Blindly disclosing the security holes to the internet at large makes the internet less safe in the short term since the bad guys can exploit the vulnerabilities before the good guys can fix them.
Groupon could hire people themselves to find the vulnerabilities, but they chose not to, instead they offer a bounty for security bugs, which apparently is very cost effective when they don't pay up, so it's a double win - no need to pay money to hire security experts when a community of bug hunters will do the work for a token bounty, and no reason to actually pay the bounty when you can find a technicality (if one out of 30 bugs were released in violation of their guidelines, why aren't they paying their promised bounty for the others?)
Part of the requirements to be paid a bounty is following the "responsible disclosure policy". The submitter did not follow that policy and therefore did not get paid. It seems pretty simple.
They'll pay.
It depends.
Groupon's entire business model is based on extracting as much cash as possible from desperate businesses, even if that means those businesses go bankrupt. Groupon doesn't fear bad PR. If it was afraid of bad press, it would have folded long ago.
Also, 32 XSS security issues seems like a pretty high number. Personally, I wouldn't be surprised if those 32 XSS vulnerabilities traced back to a single problem. That being said, I have no idea if that's the case, or not.
Either this researcher, or Groupon, would have to tell us what those 32 XSS vulnerabilities were in the first place, for us to really understand this situation.
Yes, he did screw up: by getting things published on XSSposed.org before GroupOn fixed their issues.
> Black hats are not some cartoonish sinister force
I've worked with both white hat and black hat crackers. Most black hat crackers, by an overwhelming majority, are an _very_ cartoonish. That cartoonish and mostly incompetent majority does not pay their bills, they do not protect the confidentiality of their targets or of their colleagues, they violate their agreements, and they will attack the accounts and systems of the people who have already paid them once.
Are there black hat crackers who keep their deals and their word? Yes, there are I can think of several I consider professional colleagues. They break laws, but they turn around and sell their services to vulnerable clients to shore up their defenses, and I applaud their work. I would expect them be willing to pay a modest sum for a zero-day exploit to add to their toolkit. But they're very much the exception. Go spend some time on the IRC chnnel "4chan" to get a much better sense of what the average black hat cracker is like.