Slashdot Mirror


Groupon Refuses To Pay Security Expert Who Found Serious XSS Site Bugs

Mark Wilson writes: Bounty programs benefit everyone. Companies like Microsoft get help from security experts, customers gain improved security, and those who discover and report vulnerabilities reap the rewards financially. Or at least that's how things are supposed to work. Having reported a series of security problems to discount and deal site Groupon, security researcher Brute Logic from XSSposed.org was expecting a pay-out — but the site refuses to give up the cash. In all, Brute Logic reported more than 30 security issues with Groupon's site, but the company cites its Responsible Disclosure policy as the reason for not handing over the cash.

6 of 148 comments (clear)

  1. Editorial slant much? by Anonymous Coward · · Score: 5, Insightful

    There's a dispute between two parties. I realize "company bad!" is everyone's default, but there ARE two sides to this story, and presenting one side with a heavy editorial slant is rarely productive.

    Here are what appear to be the facts: A security researcher found several flaws on groupon.com. It's likely they were related, though how much so isn't directly stated. These flaws were reported to Groupon. At least some details related to at least some of the flaws were published online for a period of time, which may or may not be inadvertent. Groupon's stated policy is to reward researchers for reporting bugs, with a condition that the bugs are not also disclosed publicly before Groupon can address them. Groupon has declined to pay in this case because of the online posting.

    Whether this is reasonable or horrible depends on a number of factor, for which we have only one person's word. Was the publishing of details inadvertent, or deliberate? How long was the post up? Did the post describe all the flaws, or just some? How detailed was the online description? Was the post proactively taken down by the author because it was posted "in error," or was it in response to Groupon's policy? How long did Groupon have information about this vulnerability before the online disclosure? All of these would affect my belief about who's being unreasonable to whom here.

  2. Re:Good for them by mysidia · · Score: 4, Insightful

    They should disclose these vulnerabilities to build a safer Internet, not to line their pockets.

    A safer internet doesn't put food on their table.

    It's Groupon who is lining their pockets, when they could be building a safer internet by actually paying money for security. It's the reluctants of companies to take security seriously and spend time and money on it that leads to an unsafe internet.

    And then we get dumb things like this "responsible disclosure program," which is really not about protecting users, but protecting Groupon's reputation. That is to say... it's a PR-protecting policy, not a policy for protecting users' safety. The unintentional disclosure they referenced regarding ONE of the 30 vulnerabilities didn't even reveal meaningful information about the vulnerability, therefore: Groupon was not concerned about exploit details being disclosed, but ONLY the fact that there was publicity being generated that said their site was insecure.

    The researchers need the bounty proceeds to justify spending the time researching to discover them. It's the companies that are lining their pockets, by avoiding hiring people like these folks and other security professionals to do this ----- instead offering small bounties, only available if they DO discover something wrong after spending possibly thousands of hours beating around looking for something wrong.

  3. Re:Good for them by un1nsp1red · · Score: 4, Insightful

    very cost effective when they don't pay up, so it's a double win - no need to pay money to hire security experts when a community of bug hunters will do the work for a token bounty, and no reason to actually pay the bounty when you can find a technicality

    Except this only works a couple times. Who is going to spend their time on Groupon now that they know they'll weasel out of paying?

  4. Re:Good for them by quantaman · · Score: 4, Insightful

    I'm tired of these security experts holding these sites hostage. They should disclose these vulnerabilities to build a safer Internet, not to line their pockets.

    If they really wanted to line their pockets, they'd sell them to the black hats.

    Blindly disclosing the security holes to the internet at large makes the internet less safe in the short term since the bad guys can exploit the vulnerabilities before the good guys can fix them.

    Groupon could hire people themselves to find the vulnerabilities, but they chose not to, instead they offer a bounty for security bugs, which apparently is very cost effective when they don't pay up, so it's a double win - no need to pay money to hire security experts when a community of bug hunters will do the work for a token bounty, and no reason to actually pay the bounty when you can find a technicality (if one out of 30 bugs were released in violation of their guidelines, why aren't they paying their promised bounty for the others?)

    I'm sure they do have their own people looking for vulnerabilities, but if outsiders also find vulnerabilities they'd like to know.

    As for the non-payout I doubt Groupon's motive is financial. Far more likely they really want to discourage people from disclosing the bugs publicly before they have a chance to fix them.

    Whether Groupon is being reasonable is the question here.

    I'm personally skeptical that the expert found 32 separate issues but suspect he found 32 variations on the same issue (he says 32 sites affected, which leads me to believe this is the case). If so the description of one issue could give an attacker enough of a clue to find the other 31 issues.

    Then again it could be 32 legitimately unique issues, and the one vague disclosure might not have been enough to help an attacker. In that case Groupon should probably pay him out.

    --
    I stole this Sig
  5. Re:He screwed up. by Sun · · Score: 4, Insightful

    Yes, he did screw up: by getting things published on XSSposed.org before GroupOn fixed their issues.

    You mean "thing", right? Only one, only by mistake, only for a short period of time.

    I'm with the researcher on this one.

    Shachar

  6. Re:Sell it to black hats then... by stephanruby · · Score: 4, Insightful

    And continuing on my initial line of thought.

    I think that Groupon should assign $500 to that one security flaw disclosed by Brute_Logic (again, it can't be 32 flaws, because it's essentially only one flaw on 32 sites owned by Groupon), and then it should give that money as a donation to the EFF (under the pseudonym Brute_Logic).

    This would send the right message to future researchers who discover future flaws, that Groupon can be fair, but that researchers need to follow protocol if they really want the money to go to them.