Groupon Refuses To Pay Security Expert Who Found Serious XSS Site Bugs

Mark Wilson writes: Bounty programs benefit everyone. Companies like Microsoft get help from security experts, customers gain improved security, and those who discover and report vulnerabilities reap the rewards financially. Or at least that's how things are supposed to work. Having reported a series of security problems to discount and deal site Groupon, security researcher Brute Logic from XSSposed.org was expecting a pay-out — but the site refuses to give up the cash. In all, Brute Logic reported more than 30 security issues with Groupon's site, but the company cites its Responsible Disclosure policy as the reason for not handing over the cash.

Re:Good for them

[epyT-R]

Full disclosure also encourages the vendors to fix their shitty code asap, and encourages a preemptive security conscious culture. These are good things.

Re:Good for them

[niftymitch]

I'm tired of these security experts holding these sites hostage. They should disclose these vulnerabilities to build a safer Internet, not to line their pockets.

If they really wanted to line their pockets, they'd sell them to ......

Groupon could hire people themselves to find the vulnerabilities, but they chose not to, instead they offer a bounty for security bugs, which apparently is very cost effective when they don't pay up, so it's a double win .......

I'm sure they do have their own people looking for vulnerabilities, but if outsiders also find vulnerabilities ....

Interesting...
Vulnerability testing is sometimes difficult from inside.
Companies have security policies that could make testing by employees quite difficult.
Testing from home is often excluded by company rules.
Network and hardware management also adds to this issue.
Laws are making it harder and harder for White hats to operate.

The issue of script rich "experts" hunting bounty is interesting.
First the bounty needs rules and pre disclosure rules need to be bounded in time.
Fixing it when I darn well want to is not no a working answer.

Script discovered flaws are likely industry standard flaws most with well known solutions.
A list of script triggered flaws that is as long as this tells me that the engineering
staff and management need to have their bonus packages reviewed. It seems
like a flawed culture. Non payment of the bounty is a symptom if the report
was held private for a fair length of time.

Some companies have "sat" on bugs and faults. The most famous list of faults
are enumerated in the security book written by Robert Morris. Almost none were fixed then
his son coded the Morris worm. That should have been the clue to the
industry but it was not. The response was mostly legal not technical which
is an inversion of the needs of national security where the laws of a nation
cannot protect from predators in other nations.

There is an astounding cognitive failure when a nation passes laws and fails to
to address the technical reach of those outside the reach of the law. Predator drones
are not an answer ...

This flawed protectionist mind set by many US TLAs is a problem.
Other nations have the same issue and should be filing bugs with vendors
left and right. Some nations might need a proxy for this but again
national laws could find these people acting as agents of a foreign government
to their loss of freedom.

Kafka is giggling.

Re:Sell it to black hats then...

[stephanruby]

Groupon doesn't fear bad PR. If it was afraid of bad press, it would have folded long ago.

Possibly they don't mind bad press, but i'll bet they mind press that says their site is insecure, or
that if you do businesses with them, "Your identity/credit card number might get stolen"

That's a good point.

By the way, it was actually one single XSS flaw that was affecting 32 different web sites.

At least, this is according to the researcher himself (either that, or he made a mistake expressing himself, because his English is obviously not too good). So if that's really the case that it was only one flaw, but on 32 sites, then I really do have no sympathy for him.

Once a vulnerability is disclosed for one site, it's obvious that hackers are going to try to exploit the same flaw on other sites owned by that same entity And by disclosing the vulnerability of two sites, a disclosure which was not accidental at all, it's obvious that he was pissed off that Groupon wouldn't commit to any minimum amount of money for his initial disclosure .

Re:He screwed up.

[Dutch+Gun]

Except, his "one mistake" was bragging about his find to his buddies (the exploits were found and submitted, so there was no reason to do so), and Oops! it went public, obviously in a way that Groupon happened to spot it as well*. Now it's essentially out in the wild before a fix was in, however you want to spin it. That's the exact opposite of "responsible disclosure". If you tell someone else about an exploit, even in private, you no longer have control of that information. Groupon is, I think, making a point that they take the "responsible disclosure" part of that agreement seriously.

Note in the article:

He also points out that another company, Sucuri Security, was happy to pay out even after a tweet revealed some details of a security flaw in their product.

Was this also by him, meaning this isn't the first time he's done this? Or one of his colleagues? How do you accidentally tweet about an undisclosed security disclosure? Is it too much to ask them to simply NOT blab about it to others in public forums? Either way, it learns like these guys need to learn how to keep their mouths shut about the vulnerabilities they discover until the fix is confirmed, that is, if they actually want a bounty. What the hell is so hard about NOT talking about a security exploit you've discovered? Ok, sort of a dick move by Groupon (no surprise), but it's hard for me to feel too sorry for this guy either.

* My theory is that Groupon was actually emailed that the vulnerability was made public on XSSposed.org. If a company doesn't respond, XSSposed simply publishes the vulnerability and emails a notification to the webmaster, as they seem to be all about public exposure. This site also gives "rankings" to security researches, so there seems to be an incentive to share the details of an exploit before it's fixed with others on the site in order to get "credit" for the discovery (and this guy is that the top of the list), which seems like a really bad incentive.