Slashdot Mirror
Groupon Refuses To Pay Security Expert Who Found Serious XSS Site Bugs
Mark Wilson writes: Bounty programs benefit everyone. Companies like Microsoft get help from security experts, customers gain improved security, and those who discover and report vulnerabilities reap the rewards financially. Or at least that's how things are supposed to work. Having reported a series of security problems to discount and deal site Groupon, security researcher Brute Logic from XSSposed.org was expecting a pay-out — but the site refuses to give up the cash. In all, Brute Logic reported more than 30 security issues with Groupon's site, but the company cites its Responsible Disclosure policy as the reason for not handing over the cash.
They'll pay. The companies are unforgivably stingy about paying security bounties. Obviously a good person is not going to sell it to black hats. But why would anyone investigate security in these companies without compensation guarantees or the intent to exploit them for personal profit?
Just stop even bothering to exploit them unless you interest is to sell the information to the highest bidder.
Help companies that want help if you're a good person and exploit stupid companies if you're a bad person.
Next issue.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
There's a dispute between two parties. I realize "company bad!" is everyone's default, but there ARE two sides to this story, and presenting one side with a heavy editorial slant is rarely productive.
Here are what appear to be the facts: A security researcher found several flaws on groupon.com. It's likely they were related, though how much so isn't directly stated. These flaws were reported to Groupon. At least some details related to at least some of the flaws were published online for a period of time, which may or may not be inadvertent. Groupon's stated policy is to reward researchers for reporting bugs, with a condition that the bugs are not also disclosed publicly before Groupon can address them. Groupon has declined to pay in this case because of the online posting.
Whether this is reasonable or horrible depends on a number of factor, for which we have only one person's word. Was the publishing of details inadvertent, or deliberate? How long was the post up? Did the post describe all the flaws, or just some? How detailed was the online description? Was the post proactively taken down by the author because it was posted "in error," or was it in response to Groupon's policy? How long did Groupon have information about this vulnerability before the online disclosure? All of these would affect my belief about who's being unreasonable to whom here.
They should disclose these vulnerabilities to build a safer Internet, not to line their pockets.
A safer internet doesn't put food on their table.
It's Groupon who is lining their pockets, when they could be building a safer internet by actually paying money for security. It's the reluctants of companies to take security seriously and spend time and money on it that leads to an unsafe internet.
And then we get dumb things like this "responsible disclosure program," which is really not about protecting users, but protecting Groupon's reputation. That is to say... it's a PR-protecting policy, not a policy for protecting users' safety. The unintentional disclosure they referenced regarding ONE of the 30 vulnerabilities didn't even reveal meaningful information about the vulnerability, therefore: Groupon was not concerned about exploit details being disclosed, but ONLY the fact that there was publicity being generated that said their site was insecure.
The researchers need the bounty proceeds to justify spending the time researching to discover them. It's the companies that are lining their pockets, by avoiding hiring people like these folks and other security professionals to do this ----- instead offering small bounties, only available if they DO discover something wrong after spending possibly thousands of hours beating around looking for something wrong.
very cost effective when they don't pay up, so it's a double win - no need to pay money to hire security experts when a community of bug hunters will do the work for a token bounty, and no reason to actually pay the bounty when you can find a technicality
Except this only works a couple times. Who is going to spend their time on Groupon now that they know they'll weasel out of paying?
... next time sell info to hxkers
I understand that he broke the terms. It is absolutely valid for Groupon to refuse to pay them.
From a 'big picture' point of view though, this was a very bad move. Security researchers are a group with whom you usually want to be on good terms. Maybe just reduce the payout over the one published exploit - but don't stiff the guy. Even if Brute Logic is a nice guy (tm) that continues to operate in a benevolent fashion, other security researchers (and their less-benevolent counterparts) may see this and decide that it is open season on Groupon.
An internal system operation returned the error "The operation completed successfully.".
I'm tired of these security experts holding these sites hostage. They should disclose these vulnerabilities to build a safer Internet, not to line their pockets.
If they really wanted to line their pockets, they'd sell them to the black hats.
Blindly disclosing the security holes to the internet at large makes the internet less safe in the short term since the bad guys can exploit the vulnerabilities before the good guys can fix them.
Groupon could hire people themselves to find the vulnerabilities, but they chose not to, instead they offer a bounty for security bugs, which apparently is very cost effective when they don't pay up, so it's a double win - no need to pay money to hire security experts when a community of bug hunters will do the work for a token bounty, and no reason to actually pay the bounty when you can find a technicality (if one out of 30 bugs were released in violation of their guidelines, why aren't they paying their promised bounty for the others?)
I'm sure they do have their own people looking for vulnerabilities, but if outsiders also find vulnerabilities they'd like to know.
As for the non-payout I doubt Groupon's motive is financial. Far more likely they really want to discourage people from disclosing the bugs publicly before they have a chance to fix them.
Whether Groupon is being reasonable is the question here.
I'm personally skeptical that the expert found 32 separate issues but suspect he found 32 variations on the same issue (he says 32 sites affected, which leads me to believe this is the case). If so the description of one issue could give an attacker enough of a clue to find the other 31 issues.
Then again it could be 32 legitimately unique issues, and the one vague disclosure might not have been enough to help an attacker. In that case Groupon should probably pay him out.
I stole this Sig
Yes, he did screw up: by getting things published on XSSposed.org before GroupOn fixed their issues.
You mean "thing", right? Only one, only by mistake, only for a short period of time.
I'm with the researcher on this one.
Shachar
So the bottom line for you is about the letter of the law rather than the spirit of the law?
If the 30 other bugs are forfeit because of a procedural mistake that only applied to one of the bugs, the next infosec researcher won't report 30 bugs. They will report them one at a time in an effort to maximize their rewards. The vulnerabilities will stay in the wild longer, the effectiveness of whole effort behind posting bounties is reduced.
Hunting for bugs sometimes requires consulting with others in the infosec community. From what I understand it was a fairly minor and well intentioned slip. A technicality.
If good intentions are met with pedantics & technicalities, I wonder how long those intentions will remain good.
People who are careful to not publicly disclose the issue before it is fixed? Yeah, it was a mistake, but one Groupon takes rather seriously. This is not 'weaseling out', this is a legitimate gripe that they decided to call him on. They could have been more understanding and that would be nice of them, but their grievance is real and they should not be shamed into pretending it is not.