Groupon Refuses To Pay Security Expert Who Found Serious XSS Site Bugs

← Back to Stories (view on slashdot.org)

Groupon Refuses To Pay Security Expert Who Found Serious XSS Site Bugs

Posted by samzenpus on Thursday April 23, 2015 @11:57AM from the pay-the-man dept.

Mark Wilson writes: Bounty programs benefit everyone. Companies like Microsoft get help from security experts, customers gain improved security, and those who discover and report vulnerabilities reap the rewards financially. Or at least that's how things are supposed to work. Having reported a series of security problems to discount and deal site Groupon, security researcher Brute Logic from XSSposed.org was expecting a pay-out — but the site refuses to give up the cash. In all, Brute Logic reported more than 30 security issues with Groupon's site, but the company cites its Responsible Disclosure policy as the reason for not handing over the cash.

148 comments

Min score:

Reason:

Sort:

He screwed up. by Anonymous Coward · 2015-04-23 12:02 · Score: 1

Should have made 30 separate submissions from 30 separate e-mail addresses.
1. Re:He screwed up. by Anonymous Coward · 2015-04-23 13:33 · Score: 2, Informative
  
  Yes, he did screw up: by getting things published on XSSposed.org before GroupOn fixed their issues.
2. Re:He screwed up. by Sun · 2015-04-23 14:38 · Score: 4, Insightful
  
  Yes, he did screw up: by getting things published on XSSposed.org before GroupOn fixed their issues.
  You mean "thing", right? Only one, only by mistake, only for a short period of time.
  I'm with the researcher on this one.
  Shachar
3. Re:He screwed up. by Dutch+Gun · 2015-04-23 23:23 · Score: 5, Interesting
  
  Except, his "one mistake" was bragging about his find to his buddies (the exploits were found and submitted, so there was no reason to do so), and Oops! it went public, obviously in a way that Groupon happened to spot it as well*. Now it's essentially out in the wild before a fix was in, however you want to spin it. That's the exact opposite of "responsible disclosure". If you tell someone else about an exploit, even in private, you no longer have control of that information. Groupon is, I think, making a point that they take the "responsible disclosure" part of that agreement seriously.
  Note in the article:
  
  He also points out that another company, Sucuri Security, was happy to pay out even after a tweet revealed some details of a security flaw in their product.
  Was this also by him, meaning this isn't the first time he's done this? Or one of his colleagues? How do you accidentally tweet about an undisclosed security disclosure? Is it too much to ask them to simply NOT blab about it to others in public forums? Either way, it learns like these guys need to learn how to keep their mouths shut about the vulnerabilities they discover until the fix is confirmed, that is, if they actually want a bounty. What the hell is so hard about NOT talking about a security exploit you've discovered? Ok, sort of a dick move by Groupon (no surprise), but it's hard for me to feel too sorry for this guy either.
  * My theory is that Groupon was actually emailed that the vulnerability was made public on XSSposed.org. If a company doesn't respond, XSSposed simply publishes the vulnerability and emails a notification to the webmaster, as they seem to be all about public exposure. This site also gives "rankings" to security researches, so there seems to be an incentive to share the details of an exploit before it's fixed with others on the site in order to get "credit" for the discovery (and this guy is that the top of the list), which seems like a really bad incentive.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
4. Re:He screwed up. by jythie · 2015-04-24 01:41 · Score: 1
  
  Even if 'only once, by mistake', he still did something that their disclosure rules explicitly said not to do or it invalided the process. It would be nice if they made an exception or were more understanding, but they are under no obligation and have every right to be pissed off, even if it was an accident.
  
  Think about when a company accidently puts an archive of customer details up on their download site. Even if they fix it quickly and it was an honest mistake, they still screwed up and people are going to be annoyed with them.
5. Re:He screwed up. by farble1670 · 2015-04-24 08:51 · Score: 1
  
  You mean "thing", right? Only one, only by mistake, only for a short period of time.
  you new to the internet? you can't expose something for a "short period of time". once it's posted, it lives on. anyone could have copied it. maybe you'd like to post your credit card card info for a "short period of time". you okay with that? it's only one "thing" after all.
  that's the whole point of a bounty system: to get folks to report bugs to you *privately* before they are discovered publicly. he got what he deserves. this is nothing more than sour grapes. he wanted his bounty, and the public fame of posting to xssposed.org. well, can't have both.
6. Re:He screwed up. by Sun · 2015-04-24 16:02 · Score: 1
  
  Let's tone down the ad-hominem, please.
  I brought forward the period of time the data was published as indication of intent. It does imply that the publication was unintended.
  There is a Hebrew proverb, "the law will puncture the mountain". It means strict adherence to the letter of the law, regardless of circumstances (or common sense).
  If you say "that's the agreement, and he violated it, however brief and however unintentional", then you still have to account to the 30 other vulnerabilities, for which Groupon is also refusing to pay, for no good reason at all.
  Shachar
7. Re:He screwed up. by farble1670 · 2015-04-28 13:38 · Score: 1
  
  really? what message would paying him send?! if you find 3 vulnerabilities, go ahead and expose 2 of them. ruin our business. no problem. we'll pay you big bucks for the one you didn't release.
  and IMHO, why would they? he did them wrong, very wrong. they shouldn't reward him for that. consider it this way. the potential harm of publicly exposing the issue is massive. you seem to be claiming it's a zero. it isn't. it's a negative -1,000,000,000. 30 - 1,000,000,000 is a negative number. he's far from being in the black in the good will department.
  the bug bounty program isn't a formal agreement bound by law. it's completely at the discretion of the sponsor company. that means that if they don't like your actions, or just the cut of your jib, they don't *have* to pay you. maybe the CEO saw your dog poop on his lawn. yep, no payment. welcome to life.
Good for them by Anonymous Coward · 2015-04-23 12:02 · Score: -1

I'm tired of these security experts holding these sites hostage. They should disclose these vulnerabilities to build a safer Internet, not to line their pockets.
1. Re:Good for them by hawguy · 2015-04-23 12:08 · Score: 4, Informative
  
  I'm tired of these security experts holding these sites hostage. They should disclose these vulnerabilities to build a safer Internet, not to line their pockets.
  If they really wanted to line their pockets, they'd sell them to the black hats.
  Blindly disclosing the security holes to the internet at large makes the internet less safe in the short term since the bad guys can exploit the vulnerabilities before the good guys can fix them.
  Groupon could hire people themselves to find the vulnerabilities, but they chose not to, instead they offer a bounty for security bugs, which apparently is very cost effective when they don't pay up, so it's a double win - no need to pay money to hire security experts when a community of bug hunters will do the work for a token bounty, and no reason to actually pay the bounty when you can find a technicality (if one out of 30 bugs were released in violation of their guidelines, why aren't they paying their promised bounty for the others?)
2. Re:Good for them by Anubis+IV · 2015-04-23 12:13 · Score: 1
  
  How did he hold it hostage? He disclosed the vulnerabilities to them privately before doing anything else. This wasn't a case of "shame them now, hope for a payout later". It was a case of "responsible disclose it privately, then do a stupid thing by disclosing it publicly before they've had a chance to pay you". As much as I don't like Groupon, I'm not sure which side of this disagreement I think is (most) in the wrong.
3. Re:Good for them by mysidia · 2015-04-23 12:43 · Score: 4, Insightful
  
  They should disclose these vulnerabilities to build a safer Internet, not to line their pockets.
  A safer internet doesn't put food on their table.
  It's Groupon who is lining their pockets, when they could be building a safer internet by actually paying money for security. It's the reluctants of companies to take security seriously and spend time and money on it that leads to an unsafe internet.
  And then we get dumb things like this "responsible disclosure program," which is really not about protecting users, but protecting Groupon's reputation. That is to say... it's a PR-protecting policy, not a policy for protecting users' safety. The unintentional disclosure they referenced regarding ONE of the 30 vulnerabilities didn't even reveal meaningful information about the vulnerability, therefore: Groupon was not concerned about exploit details being disclosed, but ONLY the fact that there was publicity being generated that said their site was insecure.
  The researchers need the bounty proceeds to justify spending the time researching to discover them. It's the companies that are lining their pockets, by avoiding hiring people like these folks and other security professionals to do this ----- instead offering small bounties, only available if they DO discover something wrong after spending possibly thousands of hours beating around looking for something wrong.
4. Re:Good for them by un1nsp1red · 2015-04-23 12:54 · Score: 4, Insightful
  
  very cost effective when they don't pay up, so it's a double win - no need to pay money to hire security experts when a community of bug hunters will do the work for a token bounty, and no reason to actually pay the bounty when you can find a technicality
  Except this only works a couple times. Who is going to spend their time on Groupon now that they know they'll weasel out of paying?
5. Re:Good for them by aaronb1138 · 2015-04-23 13:12 · Score: 1
  
  Security "experts" who do little more than run a pre-built set of scripts against websites. It's five minutes of work for them to roll the dice that they might get a payout. Even if the security firm invested serious time in developing the tools and scripts, their spamming their tests out and wanting a payday not commensurate with the scalability of their approach.
6. Re:Good for them by NormalVisual · 2015-04-23 13:26 · Score: 1
  
  If they really wanted to line their pockets, they'd sell them to the black hats.
  
  And who's to say that he doesn't have another three dozen that he knows about, but held back?
  
  --
  Please stand clear of the doors, por favor mantenganse alejado de las puertas
7. Re:Good for them by quantaman · 2015-04-23 13:32 · Score: 4, Insightful
  
  I'm tired of these security experts holding these sites hostage. They should disclose these vulnerabilities to build a safer Internet, not to line their pockets.
  If they really wanted to line their pockets, they'd sell them to the black hats.
  Blindly disclosing the security holes to the internet at large makes the internet less safe in the short term since the bad guys can exploit the vulnerabilities before the good guys can fix them.
  Groupon could hire people themselves to find the vulnerabilities, but they chose not to, instead they offer a bounty for security bugs, which apparently is very cost effective when they don't pay up, so it's a double win - no need to pay money to hire security experts when a community of bug hunters will do the work for a token bounty, and no reason to actually pay the bounty when you can find a technicality (if one out of 30 bugs were released in violation of their guidelines, why aren't they paying their promised bounty for the others?)
  I'm sure they do have their own people looking for vulnerabilities, but if outsiders also find vulnerabilities they'd like to know.
  As for the non-payout I doubt Groupon's motive is financial. Far more likely they really want to discourage people from disclosing the bugs publicly before they have a chance to fix them.
  Whether Groupon is being reasonable is the question here.
  I'm personally skeptical that the expert found 32 separate issues but suspect he found 32 variations on the same issue (he says 32 sites affected, which leads me to believe this is the case). If so the description of one issue could give an attacker enough of a clue to find the other 31 issues.
  Then again it could be 32 legitimately unique issues, and the one vague disclosure might not have been enough to help an attacker. In that case Groupon should probably pay him out.
  
  --
  I stole this Sig
8. Re: Good for them by Anonymous Coward · 2015-04-23 13:54 · Score: 1
  
  If it's so easy then they really don't have an excuse and should be forced to pay. The work is important and it's been done. It needs to be paid for.
9. Re: Good for them by Anonymous Coward · 2015-04-23 13:54 · Score: 0
  
  Right, it's so easy that Groupon itself wouldn't spend the five minutes themselves
10. Re:Good for them by Whiteox · 2015-04-23 13:57 · Score: 1
  
  I don't get it. Someone please explain to the rest of us if there is either a verbal or written contract between security experts and website/merchanting/data corporations or business? Or is this some kind of tradition or unwritten corporate responsibility?
  
  --
  Don't be apathetic. Procrastinate!
11. Re:Good for them by Whiteox · 2015-04-23 14:03 · Score: 0
  
  Forget it. I found out how the system operates.
  
  --
  Don't be apathetic. Procrastinate!
12. Re:Good for them by erice · 2015-04-23 14:21 · Score: 2
  
  (if one out of 30 bugs were released in violation of their guidelines, why aren't they paying their promised bounty for the others?)
  Maybe there is only one bug and the remaining 29 are just trivial exploit variations of a single error. Of course, if that were true, it would help if Groupon actually explained that rather than hiding behind generalized and opaque "policy" reasons.
13. Re:Good for them by Anonymous Coward · 2015-04-23 14:35 · Score: 0
  
  It is also easy for me to diagnose many common problems in a nuclear reactor safety and protection system. That does not mean I should only be paid $5 because it only took my 10 minutes.
  A bug in software could be one line of code to fix or exploit, do you pay a security expert $5 because he only wrote one line of code?
14. Re:Good for them by Anonymous Coward · 2015-04-23 14:59 · Score: 0
  
  If researchers can spam their tests out and want a payday not commensurate with the scalability of their approach, so can black hats. Do you think it's better that the vulnerabilities be unreported by security researchers?
15. Re:Good for them by epyT-R · 2015-04-23 15:19 · Score: 3, Interesting
  
  Full disclosure also encourages the vendors to fix their shitty code asap, and encourages a preemptive security conscious culture. These are good things.
16. Re:Good for them by Anonymous Coward · 2015-04-23 15:28 · Score: 0
  
  And programming "experts" merely run compilers. Tools of the trade does not make the task.
17. Re:Good for them by manquer · 2015-04-23 15:31 · Score: 1
  
  No he is saying experts will still participate in programs because it is not too much effort and possibility of a payday will keep them in the program, despite poor track record of these companies.
  
  Obviously you would loose the best experts who will spend the time and have the expertise to find the most obscure vulnerabilities. If those researchers where not interested at all in the program ( too small bounty for the effort, groupon track record etc) then Groupon losses nothing by having stingy payment policies.
18. Re: Good for them by manquer · 2015-04-23 15:33 · Score: 1
  
  It might be 5 minute effort for a single application, for someone who is spending is whole time testing dozens of applications everyday, tweaking,refining the scripts etc. It might be a full time job for an in house expert and he will cost lot more than a bounty program.
19. Re:Good for them by niftymitch · 2015-04-23 15:39 · Score: 3, Interesting
  
  I'm tired of these security experts holding these sites hostage. They should disclose these vulnerabilities to build a safer Internet, not to line their pockets.
  If they really wanted to line their pockets, they'd sell them to ......
  Groupon could hire people themselves to find the vulnerabilities, but they chose not to, instead they offer a bounty for security bugs, which apparently is very cost effective when they don't pay up, so it's a double win .......
  I'm sure they do have their own people looking for vulnerabilities, but if outsiders also find vulnerabilities ....
  Interesting...
  Vulnerability testing is sometimes difficult from inside.
  Companies have security policies that could make testing by employees quite difficult.
  Testing from home is often excluded by company rules.
  Network and hardware management also adds to this issue.
  Laws are making it harder and harder for White hats to operate.
  The issue of script rich "experts" hunting bounty is interesting.
  First the bounty needs rules and pre disclosure rules need to be bounded in time.
  Fixing it when I darn well want to is not no a working answer.
  Script discovered flaws are likely industry standard flaws most with well known solutions.
  A list of script triggered flaws that is as long as this tells me that the engineering
  staff and management need to have their bonus packages reviewed. It seems
  like a flawed culture. Non payment of the bounty is a symptom if the report
  was held private for a fair length of time.
  Some companies have "sat" on bugs and faults. The most famous list of faults
  are enumerated in the security book written by Robert Morris. Almost none were fixed then
  his son coded the Morris worm. That should have been the clue to the
  industry but it was not. The response was mostly legal not technical which
  is an inversion of the needs of national security where the laws of a nation
  cannot protect from predators in other nations.
  There is an astounding cognitive failure when a nation passes laws and fails to
  to address the technical reach of those outside the reach of the law. Predator drones
  are not an answer ...
  This flawed protectionist mind set by many US TLAs is a problem.
  Other nations have the same issue and should be filing bugs with vendors
  left and right. Some nations might need a proxy for this but again
  national laws could find these people acting as agents of a foreign government
  to their loss of freedom.
  Kafka is giggling.
  
  --
  Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
20. Re:Good for them by Anonymous Coward · 2015-04-23 16:17 · Score: 0
  
  That just doesn't make sense, now does it?
  If its "just a script" to run, then why doesn't Groupon acquire and run the script themselves?
  Even if it is "just a script", the guy ran when Groupon didn't and the guy found the weakness that Groupon didn't.
  Sometimes the "no-brainer" really isn't a no-brainer; sometimes it isn't obvious.
21. Re:Good for them by Anonymous Coward · 2015-04-23 17:58 · Score: 1
  
  A:"What is this? You expect me to pay you $1,000 to fix one line of code, which took you less than 5 minutes to do?? I demand an itemized bill!
  B: Takes back the bill and tears it up. Writes something on a fresh billing sheet and hands it to A.
  A: (reading new billing aloud) "Item One. Fixing one line of code: $5. Item Two. Knowing which line to fix: $995."
22. Re:Good for them by oobayly · 2015-04-23 19:19 · Score: 1
  
  Want to share your knowledge?
23. Re:Good for them by Whiteox · 2015-04-23 20:38 · Score: 1
  
  http://www.groupon.com/pages/r...
  Looks like other companies give out rewards. I did not know that.
  So if you are a security expert, find something, report it and don't get paid then an implied contract is broken.
  
  --
  Don't be apathetic. Procrastinate!
24. Re:Good for them by Anonymous Coward · 2015-04-23 22:45 · Score: 1
  
  Blindly disclosing the security holes to the internet at large makes the internet less safe in the short term since the bad guys can exploit the vulnerabilities before the good guys can fix them.
  Oh, so you think that bad guys can't afford hiring people with skills, and can't afford to buy exploits on the black market?
  Out in the real world, when you find a vulnerability, it is likely that someone somewhere is already exploiting it. When you give the company that caused the problem time to have their marketing people do damage control, you are also giving the bad guys time extra time to exploit the vulnerability. Meanwhile, the losers in that game are the people running the software. The only responsible thing to do is to warn the users to take precautions (such as not running the software, or only doing so behind a firewall), which will both hamper the bad guys AND force the company to fix it faster than marketing would otherwise allow them to.
  It should thus not be a surprise to anyone that marketing people have defined "responsible disclosure" as "let the bad guys run wild while waiting for damage control", which is NOT responsible, and can hardly be labelled disclosure.
25. Re:Good for them by jythie · 2015-04-24 01:43 · Score: 1, Insightful
  
  People who are careful to not publicly disclose the issue before it is fixed? Yeah, it was a mistake, but one Groupon takes rather seriously. This is not 'weaseling out', this is a legitimate gripe that they decided to call him on. They could have been more understanding and that would be nice of them, but their grievance is real and they should not be shamed into pretending it is not.
26. Re: Good for them by praxis · 2015-04-24 04:15 · Score: 2
  
  Especially since it appears sometimes bounty programs cost almost nothing to implement.
27. Re:Good for them by PlusFiveTroll · 2015-04-24 04:30 · Score: 1
  
  > then Groupon losses nothing by having stingy payment policies.
  Unless those experts sell their exploit to the black market and a successful exploit is carried out against Groupon and it's customers. Then I'd say they have lost something.
28. Re:Good for them by PlusFiveTroll · 2015-04-24 04:33 · Score: 1
  
  Those who make peaceful vulnerability discovery impossible will make violent exploiting inevitable.
29. Re:Good for them by Triklyn · 2015-04-24 04:51 · Score: 1
  
  for one exploit that was refused, how is it legitimate to deny the bounty for the other 29?
  i imagine they just made an enemy, or at least lost an ally, over 10k at most?
  you how bad a hit they'd take if they had a theft of data? target claims that their data breach depressed their holiday profits by 47 percent...
  i think groupon has got yearly profits in the billions range... and they're quibbling over a few thousand?
30. Re:Good for them by amicusNYCL · 2015-04-24 05:04 · Score: 1
  
  They definitely could have played it differently. The fact that the disclosure post was removed quickly may indicate wrongdoing, that he realized he messed up. So, fine, remove the disclosed vulnerabilities from the bounty, but still pay the bounty for the others. If he had submitted each issue separately they would have paid the others that he didn't disclose.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
31. Re:Good for them by Anonymous Coward · 2015-04-24 06:57 · Score: 0
  
  I'm tired of these security experts holding these sites hostage. They should disclose these vulnerabilities to build a safer Internet, not to line their pockets.
  And you personally should do a lot more things for my benefit that doesn't line your pockets (or even costs you money) too.
  You go first.
32. Re:Good for them by david_thornley · 2015-04-24 08:41 · Score: 1
  
  Depends. If the vendor intends to fix reported problems reasonably fast, then full disclosure gives the bad guys a boost up. If the vendor doesn't care about reported problems, it might light a fire under them. Knowing nothing about how Groupon addresses reported vulnerabilities, all I can say is that they can set bounty rules as they like, and people either will or won't look for vulnerabilities.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
33. Re:Good for them by farble1670 · 2015-04-24 08:54 · Score: 1
  
  Groupon could hire people themselves to find the vulnerabilities, but they chose not to, instead they offer a bounty for security bugs, which apparently is very cost effective when they don't pay up, so it's a double win
  maybe you aren't familiar with how bug bounties work. it's when a company pays a finder for *privately* reporting issues before they are discovered publicly. this guy did both. he reported it privately when went on to disclose it publicly. you think a company should reward someone for disclosing security vulnerabilities publicly before they have a chance to fix them?
34. Re:Good for them by farble1670 · 2015-04-24 08:57 · Score: 1
  
  Except this only works a couple times. Who is going to spend their time on Groupon now that they know they'll weasel out of paying?
  groupon would rather bugs not be reported at all than having them posted openly on the internet before they have a chance to fix them. anyone would. this guy did them a major disservice.
35. Re:Good for them by farble1670 · 2015-04-24 09:03 · Score: 1
  
  for one exploit that was refused, how is it legitimate to deny the bounty for the other 29?
  because life's not completely disconnected like that?
  because you don't pay someone that publicly exposed exploits without giving you a chance to fix them.
  say you paid a guy to mow your lawn for $20 and wash your car for $20. he does a fine job mowing your lawn, but in the process of washing your car he breaks your windshield and slits your tires (maliciously, and offering no compensation). would you pay him for mowing your lawn?
36. Re:Good for them by farble1670 · 2015-04-24 09:14 · Score: 1
  
  he fact that the disclosure post was removed quickly may indicate wrongdoing, that he realized he messed up. So, fine, remove the disclosed vulnerabilities from the bounty, but still pay the bounty for the others.
  sometimes when you f-up you just have to eat it. accept responsibility and the outcome of YOUR mistake. behavior like this is a side affect of the having parents that never let your learn lessons the hard way. lost your iPod little Johnny? we'll buy you a new one. i don't blame him for being upset. anyone would be upset. but it's his mistake.
  
  If he had submitted each issue separately they would have paid the others that he didn't disclose.
  almost certainly not. they are not paying him because he did something very irresponsible. he did exactly what that the bounty program is trying to prevent. it's like if you offered someone $20 to wash your car, which they did, but then threw a bucket of mud on it. would you still pay them the $20?
37. Re:Good for them by amicusNYCL · 2015-04-24 11:24 · Score: 1
  
  it's like if you offered someone $20 to wash your car, which they did, but then threw a bucket of mud on it. would you still pay them the $20?
  Uh, no. But if I got 30 washes, and the car was cleaned 29 times, and one time it had mud on it, I would still pay for the other 29 washes.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
38. Re:Good for them by Xenx · 2015-04-24 12:29 · Score: 1
  
  The short answer is yes. If there is an agreement in place to pay for work performed, then you pay. That doesn't prevent you from taking separate action for the malicious activity. Now, if the payment arrangement for $40 upon completion of both.. you'd have an argument.
39. Re:Good for them by epyT-R · 2015-04-25 04:50 · Score: 1
  
  Perhaps, but then vendors who routinely do not fix their shit promptly will have bad reputations from repeated breaches, as it should be. Hopefully such companies go out of business.
  Of course, they can set them as they please, but I can also criticize 'ethical hacker' policies that are too soft on vendors.
40. Re:Good for them by manquer · 2015-04-25 22:31 · Score: 1
  
  Selling it the black market is only half the part, not getting caught is the important part. More damage a exploit can cause Groupon ( i.e. higher the value on the market) more the chances law enforcement will be knocking on your door.
  
  Companies like Groupon face a higher risk from dissatisfied(or the dumb ones exposed to phishing/social engineering ) employees leaking information than from external exploits, so they are screwed anyway if white hats/employees start acting in bad faith. They are counting on good faith of majority of the players and possibility of punishment via law enforcement to save them.
41. Re:Good for them by Triklyn · 2015-04-27 01:51 · Score: 1
  
  it seems it was 1 exploit that affected 30 systems. so the point is moot.
  as an exercise though, yes, yes you do.
  if this were a business decision/transaction at all you would.
  if it were 30 separate exploits, you would pay him for 30 exploits, and charge him damages for the 1 that got away. Penalties or what have you. And you do this because it's more orderly that way, and you're trying to be aboveboard with this individual and with the community as a whole. For future collaboration.
  You do it so the guy has no story to spread, about how you don't honor your agreement... because again, it's business.
  In your example, this is one of the only guys that mows lawns in your area, and guess what, the lawn mower's association is pretty fucking tight-knit... and it's all illegals, so that 20 buck sounds about right.
  You've asked around, and anybody else that you want to do it will cost 40 buck a week to do the same thing that these guys wanted 20 buck per mowing wanted. and they only had to come around every other week. Oh, and guess what, you're in california, and this grass is dry as fuck. And if fire ever comes back and you've got an unmowed lawn, your headquarters is going to burn the hell down.
  this would be a parallel situation. you suck it up, and treat it like business, and show that you'll pay for work done, and honor your word, otherwise you're out bigger money one way or the other.
42. Re:Good for them by farble1670 · 2015-04-27 04:31 · Score: 1
  
  if it were 30 separate exploits, you would pay him for 30 exploits, and charge him damages for the 1 that got away.
  man, life, you're new to it huh? good luck when you leave you mom's basement and discover that's not how life works.
43. Re:Good for them by Triklyn · 2015-04-27 06:44 · Score: 1
  
  :) depends on the business you're in. but it's how it's done in at least one fast-paced industry... trucking... and probably a shit-ton more than that.
  you get a relationship, you forgo the contract. payment on delivery, and you don't quibble over the small stuff. establish terms, and if the other guy delivers on time, you pay him, if he says you owe him money, you verify it, and you pay him. If he fucks something up, he gives you a discount on the invoice or he pays for it. You don't fucking jeopardize your relationship over... what certainly amounts to less than a fucking percent of your operating costs.
  and yes, you get pay, because the other guy delivered on 30 things, and if you quibble over one, you quibble over one. But you do it above board, because you're both making money out of the relationship, and it's retarded to jeopardize the future profits for... a pittance.
Sell it to black hats then... by Karmashock · 2015-04-23 12:02 · Score: 3, Insightful

They'll pay. The companies are unforgivably stingy about paying security bounties. Obviously a good person is not going to sell it to black hats. But why would anyone investigate security in these companies without compensation guarantees or the intent to exploit them for personal profit?
Just stop even bothering to exploit them unless you interest is to sell the information to the highest bidder.
Help companies that want help if you're a good person and exploit stupid companies if you're a bad person.
Next issue.

--
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
1. Re:Sell it to black hats then... by stephanruby · 2015-04-23 13:06 · Score: 3, Informative
  
  They'll pay.
  It depends.
  Groupon's entire business model is based on extracting as much cash as possible from desperate businesses, even if that means those businesses go bankrupt. Groupon doesn't fear bad PR. If it was afraid of bad press, it would have folded long ago.
  Also, 32 XSS security issues seems like a pretty high number. Personally, I wouldn't be surprised if those 32 XSS vulnerabilities traced back to a single problem. That being said, I have no idea if that's the case, or not.
  Either this researcher, or Groupon, would have to tell us what those 32 XSS vulnerabilities were in the first place, for us to really understand this situation.
2. Re:Sell it to black hats then... by mysidia · 2015-04-23 13:34 · Score: 3, Insightful
  
  Groupon doesn't fear bad PR. If it was afraid of bad press, it would have folded long ago.
  Possibly they don't mind bad press, but i'll bet they mind press that says their site is insecure, or that if you do businesses with them, "Your identity/credit card number might get stolen"
  That's probably why they got fussy and denied the researcher's bounty, when a note that a XSS bug (without substantive details) had been published.
  Sounds like maybe the "responsible disclosure" policy was about protecting the site's reputation, not their users' security.
3. Re:Sell it to black hats then... by Anonymous Coward · 2015-04-23 15:11 · Score: -1
  
  Why do you suggest that only "bad people" would sell to black hats? Isn't an organization that damages a monopolists market position actually doing good work?
4. Re:Sell it to black hats then... by Antique+Geekmeister · 2015-04-23 16:55 · Score: 1
  
  Black hats are even less likely to pay. There's no binding contract to do an illegal thing, no lawyers, and many black hats will simply attack your systems if you try to deal with them, the only loss if they try to rip you off is to their "reputation", and in general they do not care or use a sock puppet anyway.
5. Re:Sell it to black hats then... by Anonymous Coward · 2015-04-23 17:16 · Score: 0
  
  Bullshit. Black hat markets are huge on traditional ideas like customer service and repeat business. Not to mention that the buyers of zero-days are usually a hell of a lot more dangerous to cross than the sellers. These people are in a lot of ways more accountable then lawyers and are a heck of a lot less likely to rip you off.
6. Re:Sell it to black hats then... by Anonymous Coward · 2015-04-23 18:16 · Score: 0
  
  It is clear that you are ignorant on the matter. Black hats are not some cartoonish sinister force. They and security researchers are peers, and there is significant moonlighting overlap. Conduct in financial transactions are excellent with reputation, escrows, repeat business, and following of protocols all being very important.
  In the end when it comes to money changing hands for information black hats are more reliable and more trustworthy than MBAs, thus this news article.
7. Re:Sell it to black hats then... by Cederic · 2015-04-23 18:34 · Score: 2
  
  To be fair, the report suggests they took the bug notification seriously and were discussing a patch.
  So they're trying to protect the site's reputation AND their users' security.
8. Re:Sell it to black hats then... by stephanruby · 2015-04-23 19:00 · Score: 3, Interesting
  
  Groupon doesn't fear bad PR. If it was afraid of bad press, it would have folded long ago.
  Possibly they don't mind bad press, but i'll bet they mind press that says their site is insecure, or
  that if you do businesses with them, "Your identity/credit card number might get stolen"
  That's a good point.
  By the way, it was actually one single XSS flaw that was affecting 32 different web sites.
  At least, this is according to the researcher himself (either that, or he made a mistake expressing himself, because his English is obviously not too good). So if that's really the case that it was only one flaw, but on 32 sites, then I really do have no sympathy for him.
  Once a vulnerability is disclosed for one site, it's obvious that hackers are going to try to exploit the same flaw on other sites owned by that same entity And by disclosing the vulnerability of two sites, a disclosure which was not accidental at all, it's obvious that he was pissed off that Groupon wouldn't commit to any minimum amount of money for his initial disclosure .
9. Re:Sell it to black hats then... by stephanruby · 2015-04-23 19:21 · Score: 4, Insightful
  
  And continuing on my initial line of thought.
  I think that Groupon should assign $500 to that one security flaw disclosed by Brute_Logic (again, it can't be 32 flaws, because it's essentially only one flaw on 32 sites owned by Groupon), and then it should give that money as a donation to the EFF (under the pseudonym Brute_Logic).
  This would send the right message to future researchers who discover future flaws, that Groupon can be fair, but that researchers need to follow protocol if they really want the money to go to them.
10. Re:Sell it to black hats then... by Karmashock · 2015-04-23 19:52 · Score: 1
  
  If I can rip customer credit card information from them, that will matter. Are you going to buy a coupon from them if someone can steal your credit card information from their payment system?
  
  --
  I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
11. Re:Sell it to black hats then... by Karmashock · 2015-04-23 20:04 · Score: 1
  
  Yes, only bad people would sell to black hats.
  
  --
  I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
12. Re:Sell it to black hats then... by Antique+Geekmeister · 2015-04-24 00:45 · Score: 3, Informative
  
  > Black hats are not some cartoonish sinister force
  I've worked with both white hat and black hat crackers. Most black hat crackers, by an overwhelming majority, are an _very_ cartoonish. That cartoonish and mostly incompetent majority does not pay their bills, they do not protect the confidentiality of their targets or of their colleagues, they violate their agreements, and they will attack the accounts and systems of the people who have already paid them once.
  Are there black hat crackers who keep their deals and their word? Yes, there are I can think of several I consider professional colleagues. They break laws, but they turn around and sell their services to vulnerable clients to shore up their defenses, and I applaud their work. I would expect them be willing to pay a modest sum for a zero-day exploit to add to their toolkit. But they're very much the exception. Go spend some time on the IRC chnnel "4chan" to get a much better sense of what the average black hat cracker is like.
13. Re:Sell it to black hats then... by Anonymous Coward · 2015-04-24 01:20 · Score: 0
  
  > Go spend some time on the IRC chnnel "4chan" to get a much better sense of what the average black hat cracker is like.
  Or just talk with any NSA employee
14. Re:Sell it to black hats then... by JackieBrown · 2015-04-24 03:03 · Score: 1
  
  Are you going to buy a coupon from them if someone can steal your credit card information from their payment system?
  People still buy from Targert
15. Re:Sell it to black hats then... by Karmashock · 2015-04-24 03:54 · Score: 1
  
  That's because no one knows if anyone was actually hurt because of that. All we know is that they had a breach.
  The banks likely ate most of the pain but they are suing target for the liability.
  So... no, companies don't just get away with that.
  
  --
  I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
16. Re:Sell it to black hats then... by ultranova · 2015-04-24 04:18 · Score: 1
  
  Obviously a good person is not going to sell it to black hats.
  
  You mean a law-abiding person. A good person does not prey on innocents, but Corporate America provides plenty of food satisfying any reasonable standard of sufficient sinfulness you care to set to qualify as an acceptable target.
  It's why movies that want robbers seem heroic often use casinos as targets: no one's going to shed a single tear when those who exploit people's dreams to fleece them get victimized in turn.
  
  --
  Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
17. Re:Sell it to black hats then... by Karmashock · 2015-04-24 04:22 · Score: 1
  
  This is the sort of mentality that lets people think it is okay to plant bombs to blow up police cars because you're mad about the vietnam war or something.
  to which I can only respond with this:
  https://www.youtube.com/watch?...
  
  --
  I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
18. Re:Sell it to black hats then... by Triklyn · 2015-04-24 05:04 · Score: 1
  
  targets report 47 % drop in profits during the period immediately following... compared to i believe expectations of a year earlier.
19. Re:Sell it to black hats then... by Anonymous Coward · 2015-04-24 08:25 · Score: 0
  
  Best answer to this situation! Best answer in this thread.
20. Re:Sell it to black hats then... by mysidia · 2015-04-24 11:26 · Score: 1
  
  So they're trying to protect the site's reputation AND their users' security.
  Sure, they take the notification seriously and are patching by all apparent counts --- i'm not doubting that they are concerned about their site's security as well.
  That doesn't fully speak to the purpose of the "responsible disclosure" policy, and why they've decided to smite the researcher, however.
Public shaming! by TsuruchiBrian · 2015-04-23 12:02 · Score: 1, Funny

That's how problems get fixed these days isn't it? Let's do what we always do, and publicly shame groupon until they do the right thing. Internet DEPLOY!
1. Re: Public shaming! by Anonymous Coward · 2015-04-23 12:17 · Score: 0
  
  Groupon has always been about public shaming. Why else do the get large groups of people to go to a business all at the same time? To get a good price or they shame you.
  The world would be better off without assholes like Groupon and Yelp.
2. Re: Public shaming! by TsuruchiBrian · 2015-04-23 12:55 · Score: 1
  
  You sound like a bitter restaurant owner.
3. Re: Public shaming! by Anonymous Coward · 2015-04-23 13:04 · Score: 0
  
  And that continues your discussion how? FYI I'm not a business owner of any kind. Your jumping to conclusions is hostile and I'll play no more part in your trolling game.
4. Re: Public shaming! by Anonymous Coward · 2015-04-23 14:38 · Score: 0
  
  Sorry TsuruchiBrian, I over-reacted. You'll be glad to know I got my medication refilled and I'm feeling much better now. You won't have to worry about me anymore, my mommy says I have to stay off the internet until I learn to post and manage my meds like a grown up.
5. Re: Public shaming! by Anonymous Coward · 2015-04-23 14:40 · Score: 0
  
  Lol, you're fail.
IF they don't have a bug bounty by Anonymous Coward · 2015-04-23 12:10 · Score: 1

don't 'research' their sites for exploits and expect a financial return
Don't follw the rules don't get paid. by jklovanc · 2015-04-23 12:11 · Score: 5, Informative

Part of the requirements to be paid a bounty is following the "responsible disclosure policy". The submitter did not follow that policy and therefore did not get paid. It seems pretty simple.
1. Re:Don't follw the rules don't get paid. by extranatural · 2015-04-23 12:29 · Score: 1
  
  Fair enough, but what about the other 30 or so bugs he reported?
  
  More to the point. Let's say they don't pay this time. Next time someone finds a bug that effects Groupon what incentive do they have to report it to Groupon? Why not sell it on a Blackhat forum for a big ol pile of bitcoins?
2. Re:Don't follw the rules don't get paid. by Anonymous Coward · 2015-04-23 12:38 · Score: 1, Informative
  
  Nowhere in the policy does it say that the exploit cannot be published. But there is the magic pull the rug out from under everyone clause: "Notwithstanding any of the above, Groupon reserves the right to cancel or modify this program at any time and without notice."
  http://www.groupon.com/pages/responsible-disclosure
  The man should be paid. Fuck Groupon if they don't follow through and do the right thing.
3. Re:Don't follw the rules don't get paid. by Stewie241 · 2015-04-23 12:48 · Score: 3, Informative
  
  Well the policy does say that they will not pay out for "Bugs that have been disclosed publicly or to third parties (brokers) by you or others"
4. Re:Don't follw the rules don't get paid. by jklovanc · 2015-04-23 13:20 · Score: 1
  
  Fair enough, but what about the other 30 or so bugs he reported?
  
  By not following the rules he is disqualified from the program no matter how many bugs he submitted.
  
  Next time someone finds a bug that effects Groupon what incentive do they have to report it to Groupon?
  The same as before and they might actually follow the rules and get paid.
5. Re:Don't follw the rules don't get paid. by ZippyTheChicken · 2015-04-23 13:28 · Score: 0
  
  I agree.. the person who found the holes was smart enough to find them.. but they were not smart enough to keep them a secret until they were fixed. Everyone knows how fast things can move and that you can never erase a post from the internet.. as soon as he posted it.. the content was probably republished from a RSS Feed or a Scraper to 100 other sites... the next time they will know .. find a bug then keep it secret.. its the honest thing to do.. and then he will get paid next time. we all learn things the hard way sometimes. I can remember releasing some code without license that then ended up in a commercial application. I could have been rich.. i should have been rich.. after they took it they banished me and so did all their friends.. and there went my job.. I should have know better than to help without an agreement.
6. Re:Don't follw the rules don't get paid. by Anonymous Coward · 2015-04-23 13:38 · Score: 1
  
  If you're going to post the link you should probably read the policy:
  
  Similarly, we also have a number of issues for which we will generally not pay out a bounty - and which include anything that reports an act that is abusive or in bad faith. These include:
  ...
  - Bugs that have been disclosed publicly or to third parties (brokers) by you or others
7. Re:Don't follw the rules don't get paid. by Black+Parrot · 2015-04-23 13:49 · Score: 1
  
  Part of the requirements to be paid a bounty is following the "responsible disclosure policy". The submitter did not follow that policy and therefore did not get paid. It seems pretty simple.
  I always make it even simpler, by citing my Greedy Bastard Policy regardless of what anyone does.
  
  --
  Sheesh, evil *and* a jerk. -- Jade
8. Re:Don't follw the rules don't get paid. by Anonymous Coward · 2015-04-23 14:01 · Score: 0
  
  Next time he might just use those vulnerabilities he found in a more profitable way. Screw someone over, don't be surprised when the karma comes back to bite you.
9. Re:Don't follw the rules don't get paid. by extranatural · 2015-04-23 15:29 · Score: 3, Insightful
  
  So the bottom line for you is about the letter of the law rather than the spirit of the law?
  
  If the 30 other bugs are forfeit because of a procedural mistake that only applied to one of the bugs, the next infosec researcher won't report 30 bugs. They will report them one at a time in an effort to maximize their rewards. The vulnerabilities will stay in the wild longer, the effectiveness of whole effort behind posting bounties is reduced.
  
  Hunting for bugs sometimes requires consulting with others in the infosec community. From what I understand it was a fairly minor and well intentioned slip. A technicality.
  
  If good intentions are met with pedantics & technicalities, I wonder how long those intentions will remain good.
10. Re:Don't follw the rules don't get paid. by jklovanc · 2015-04-23 15:52 · Score: 1
  
  The other issue are the 30 additional bugs just permutations of the bug that was published?
11. Re:Don't follw the rules don't get paid. by Anonymous Coward · 2015-04-23 17:23 · Score: 0
  
  No, it's the letter AND the spirit of the law. It's not a procedural mistake, releasing early is malicious. The other bugs are forfeit because they were not discovered by a security researcher but by an adversary.
12. Re:Don't follw the rules don't get paid. by luis_a_espinal · 2015-04-23 19:29 · Score: 1
  
  Ah, because wrong + wrong = right. Got it.
13. Re:Don't follw the rules don't get paid. by extranatural · 2015-04-23 20:27 · Score: 1
  
  That's a good point, at this point it's unclear how like (or unlike) the reported bugs were.
  
  None the less I think it wiser to reward the good intent rather than punish on a technicality.
14. Re:Don't follw the rules don't get paid. by Anonymous Coward · 2015-04-24 01:28 · Score: 0
  
  Ah, because wrong + wrong = right. Got it.
  No, additive wrongs are still wrong. Multiplicative wrongs, however, are mathematically positive. So, if you are going to wrong somebody, do it multiple times.
15. Re:Don't follw the rules don't get paid. by Anonymous Coward · 2015-04-24 03:24 · Score: 0
  
  You should probably read the link you posted.
  
  If you believe you find an issue on our site, we encourage you to report it to us in a private and responsible way.
16. Re:Don't follw the rules don't get paid. by jklovanc · 2015-04-24 03:52 · Score: 1
  
  Then there is the alternate scenario.
  1. Find bug.
  2. Report to Groupon.
  3. Publish on group just long enough to get noticed and replicated.
  4. Garner publicity for finding bug.
  5. Groupon deny bounty
  6. Garner more publicity from controversy.
  It might not be as innocent as they make it out to be. For some the notoriety is more important than the money.
17. Re:Don't follw the rules don't get paid. by pete6677 · 2015-04-24 06:16 · Score: 1
  
  Groupon had no intention of paying at all. If it weren't for that they would have just brought up some other technicality.
  Now security researchers know what they really need to do if they want to make money from Groupon vulnerabilities...
18. Re:Don't follw the rules don't get paid. by HornWumpus · 2015-04-24 06:16 · Score: 1
  
  You don't understand Karma.
  The victim deserves whatever you do to them. For actions in previous lives. They are at -1 to start, because Karma.
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
19. Re:Don't follw the rules don't get paid. by jklovanc · 2015-04-24 06:31 · Score: 1
  
  Groupon had no intention of paying at all.
  That is a generalized assumption based on one incident. You have no idea if they have paid out in other instances.
Broke the term by Anonymous Coward · 2015-04-23 12:14 · Score: 0

He broke the terms of the bounty program by publicly disclosing the vulnerabilities.
End of story.
Editorial slant much? by Anonymous Coward · 2015-04-23 12:19 · Score: 5, Insightful

There's a dispute between two parties. I realize "company bad!" is everyone's default, but there ARE two sides to this story, and presenting one side with a heavy editorial slant is rarely productive.
Here are what appear to be the facts: A security researcher found several flaws on groupon.com. It's likely they were related, though how much so isn't directly stated. These flaws were reported to Groupon. At least some details related to at least some of the flaws were published online for a period of time, which may or may not be inadvertent. Groupon's stated policy is to reward researchers for reporting bugs, with a condition that the bugs are not also disclosed publicly before Groupon can address them. Groupon has declined to pay in this case because of the online posting.
Whether this is reasonable or horrible depends on a number of factor, for which we have only one person's word. Was the publishing of details inadvertent, or deliberate? How long was the post up? Did the post describe all the flaws, or just some? How detailed was the online description? Was the post proactively taken down by the author because it was posted "in error," or was it in response to Groupon's policy? How long did Groupon have information about this vulnerability before the online disclosure? All of these would affect my belief about who's being unreasonable to whom here.
1. Re:Editorial slant much? by Anonymous Coward · 2015-04-23 13:07 · Score: 0
  
  1 down now about the other 29?
2. Re:Editorial slant much? by Anonymous Coward · 2015-04-23 13:52 · Score: 1
  
  It does make me question how Groupon knew he'd posted it if it was only up a few minutes. It would seem that if Groupon knew it had been posted, then even if it was only up for a minute, it's possible that very many interested parties could have noticed as well. Since they want to be able to fix the bugs and not have the bugs advertised to people who would exploit them, it makes sense to only pay a bounty when the expert was appropriately careful with the information. Even if you expose it for a moment, you're exposing it for a moment to (possibly) everyone. Once you publish something, you can't reliably make it private again.
3. Re:Editorial slant much? by Anonymous Coward · 2015-04-23 13:56 · Score: 1
  
  Even if the researcher did the wrong thing, inadvertent / deliberate or not, Groupon should be smart enough to realise the impact to both their reputation and their future ability to have people participate in their program if they get a reputation for not paying. They should also be smart enough to understand that they may now become a target for people wanting to 'teach them a lesson' even if they are 100% in the right.
Groupon is still in business? by Anonymous Coward · 2015-04-23 12:24 · Score: 0

I had no idea they were still in business. Haven't heard anything in more than two years around here (Silicon Valley). Guess they moved on to rip off suckers in some other parts.
Trojan-like problems haunt Groupon by Krishnoid · 2015-04-23 12:28 · Score: 1

Apparently this isn't their only issue in attempting to prevent infections.
one word answer... by Anonymous Coward · 2015-04-23 12:28 · Score: 0

publish!
it's only groupon. fuck 'em like they fuck over their 'customers'
The Real Reason by Anonymous Coward · 2015-04-23 12:35 · Score: 0

FTA
"As a contributor to XSSposed.org Brute Logic spoke with people at the site and a reference to one of the security issues ended up being published. This only appeared online for a few moments, and was removed after it was realized it had been published in error. But Groupon is using this as a reason for refusing to pay out."
I would refuse the payout too if Brute Logic posted the vulnerability publicly before a patch was made ready.
1. Re:The Real Reason by Stewie241 · 2015-04-23 13:26 · Score: 2
  
  I'm trying to understand the use of the word 'moments'. It seems the article, which is clearly biased in favour of the security researcher, is trying to downplay the actual event. It is hard to really grasp exactly what happened here because the amount of time that the posting was live is not specifically mentioned. Generally, I would assume moments is about 10-15 seconds or less. However the following happened in those 'moments':
  1. The issue was published
  2. Somebody realized it was published in error (there is no indication of who)
  3. Groupon somehow found out about this being posted
  4. The article was removed
  So you can give the benefit of the doubt and assume it was an accident. But as a security research you have to realize that making this sort of mistake can have serious repercussions. If Groupon somehow discovered it had been published, it isn't that unreasonable to assume that others had as well.
Canadian Anti-Spam by Anonymous Coward · 2015-04-23 12:44 · Score: 0

They have no consideration for this law either. I receive 5 e-mails a day, they insist I was removed from the mailing list, I now receive at least 1 a day. I want 0
That's the definition of Responsible Disclosure by raymorris · 2015-04-23 12:46 · Score: 1

Responsible Disclosure is a term of art which means informing the company confidentially and allowing them sufficient time to fix it before making it public.
Note to self ... by Anonymous Coward · 2015-04-23 12:54 · Score: 3, Insightful

... next time sell info to hxkers
Pay The Man! by sk999 · 2015-04-23 13:02 · Score: 1

Groupon should pay attention to Richard Pryor:
www.youtube.com/watch?v=BcQ8zMOcV0E
entitlement by Anonymous Coward · 2015-04-23 13:04 · Score: -1

what an entitled fagot
oh, and XXS is not a rel security vuln to real niggers who do this shit daily
Strange response by lq_x_pl · 2015-04-23 13:12 · Score: 3, Insightful

I understand that he broke the terms. It is absolutely valid for Groupon to refuse to pay them.
From a 'big picture' point of view though, this was a very bad move. Security researchers are a group with whom you usually want to be on good terms. Maybe just reduce the payout over the one published exploit - but don't stiff the guy. Even if Brute Logic is a nice guy (tm) that continues to operate in a benevolent fashion, other security researchers (and their less-benevolent counterparts) may see this and decide that it is open season on Groupon.

--
An internal system operation returned the error "The operation completed successfully.".
1. Re:Strange response by Anonymous Coward · 2015-04-23 13:45 · Score: 1
  
  I understand that he broke the terms. It is absolutely valid for Groupon to refuse to pay them. From a 'big picture' point of view though, this was a very bad move. Security researchers are a group with whom you usually want to be on good terms. Maybe just reduce the payout over the one published exploit - but don't stiff the guy. Even if Brute Logic is a nice guy (tm) that continues to operate in a benevolent fashion, other security researchers (and their less-benevolent counterparts) may see this and decide that it is open season on Groupon.
  ...in other words, it's reasonable to expect some members of the security research community to attack you if you upset them. Which is basically what gangs would do when people would refuse to pay for the "insurance" they would "offer". Posting anonymously, for obvious reasons.
2. Re:Strange response by Anonymous Coward · 2015-04-23 13:56 · Score: 0
  
  The security researchers have become the exploiters/blackmailers at this point, no different from the hackers they claim to protect against.
3. Re:Strange response by PRMan · 2015-04-23 14:00 · Score: 1
  
  You may not like it (maybe none of us do), but ask Sony how suing GeoHot worked out for them...
  
  --
  Peter predicted that you would "deliberately forget" creation 2000 years ago...
4. Re: Strange response by Anonymous Coward · 2015-04-23 14:03 · Score: 0
  
  "Which is basically what gangs would do"
  So every business is a gang in your opinion. If you queer someone on a business deal, you expect them to not hold a grudge?
5. Re:Strange response by Anonymous Coward · 2015-04-23 14:08 · Score: 0
  
  I didnt know GeoHolt was from N. Korea.
6. Re: Strange response by Anonymous Coward · 2015-04-23 14:50 · Score: 0
  
  If you queer someone on a business deal, yes you can expect them to hold a grudge but not to kill you.
7. Re:Strange response by lq_x_pl · 2015-04-23 15:08 · Score: 2
  
  You're twisting my words. That's ok though, I'd expect that from AC.
  I wasn't saying that the researchers are an organized gang of cyber-thugs cruisin' the web for sploits. I was just acknowledging how humans tend to act in groups. Most people see someone acting unfairly and say, "Gee, that's not nice."
  Others, if they identify strongly with the individual they think was wronged, may take a more active role in meting out karma.
  This is particularly problematic, if you've offered a bounty for holes in your security - and then you refuse to pay someone who found holes in your security. You can't win. Folks will either stop trying to help you find holes in your security, or they'll find them and handle them in a way that is sure to be profitable.
  Don't piss of the folks you've asked to help - this applies to your dealings with waiters, plumbers, and mechanics as well.
  
  --
  An internal system operation returned the error "The operation completed successfully.".
8. Re:Strange response by Anonymous Coward · 2015-04-23 15:21 · Score: 0
  
  Not seeing the point, you shouldn't have to kiss the ass of your waiter, plumber, or mechanic if they do a terrible job.
9. Re:Strange response by lq_x_pl · 2015-04-23 15:44 · Score: 1
  
  Sometimes, you do.
  I'd rather swallow a little pride than have my shitter explode. To each his own, I guess.
  
  --
  An internal system operation returned the error "The operation completed successfully.".
10. Re:Strange response by maestroX · 2015-04-23 19:49 · Score: 1
  
  Even if Brute Logic is a nice guy (tm)
  
  Nah, hooligans (script kiddies evolved) wandering the net, the SPAM in your httpd log.
  
  Brute Logic @brutelogic Apr 22
  
  @r3nop0c @Groupon Of course their 30+ websites will @xssposed next times.
Good for them by Anonymous Coward · 2015-04-23 13:20 · Score: -1

Did he have a contract with them? Was he employed by them?
No? what claim does he have to money?
The next time I warn someone that their shoelaces are untied, I should demand a $1,000 reward!
They are not the only one by Anonymous Coward · 2015-04-23 13:48 · Score: 1

I submitted a bug to a company who claimed to offer up to 100k, the company never responded to any of my emails and fixed the bug about a month later. It puts me in a tight spot, I can't disclose this now fixed bug (for many months) if I want to hold out any hope of getting paid. Makes it hard to name and shame them...
262c603833189cbf75eba31d9dab1344544b4919
Open source type people... by Anonymous Coward · 2015-04-23 13:55 · Score: 0

Always sticking their hand out.
You insensitive 3lod?! by Anonymous Coward · 2015-04-23 14:25 · Score: -1

serhver crashes the 7uture holds Host what the house
That will end well.... by Anonymous Coward · 2015-04-23 14:29 · Score: 0

So groupon just incentivized the guy who has proven very capable to finding holes in their system to sell said holes on the black market.
I didn't know: Responsible Disclosure policy by Trax3001BBS · 2015-04-23 14:29 · Score: 1

Responsible disclosure fails to satisfy security researchers who expect to be financially compensated, while reporting vulnerabilities to the vendor with the expectation of compensation might be viewed as extortion. While a market for vulnerabilities has developed, vulnerability commercialization remains a hotly debated topic tied to the concept of vulnerability disclosure. http://en.wikipedia.org/wiki/R...
Still fell Groupon has a debt to pay, unless he did indeed release the info before Groupon could act on the issues.
That's the deal by stox · 2015-04-23 14:44 · Score: 1

You're basically being paid to keep it private until patched. Brute Logic blew it.
Groupon is an Open Source shop, and their staff is quite aware of good practices.
Had Brute Logic not disclosed, I am sure a check would be on its way.

--
"To those who are overly cautious, everything is impossible. "
1. Re:That's the deal by Anonymous Coward · 2015-04-23 22:56 · Score: 0
  
  Open Source people are usually fans of full disclosure. No marketing department that needs to do damage control before releasing the information, and if a patch is not trivial (as in, written and committed before you finish reading the description of the problem), they'd rather let the users take their own precautions, such as stopping services or changing firewall rules.
Re:I didn't know: Responsible Disclosure policy by Anonymous Coward · 2015-04-23 15:02 · Score: 0

It's not extortion when the vendor offers a bug bounty. Have you ever heard of a researcher demanding financial compensation from a vendor that didn't offer it in the first place?
Correct program by fulldecent · 2015-04-23 15:23 · Score: 1

I have come across vulnerabilities in consumer products, banks, and governments (though no airplanes). Here is a policy I use and I have not yet gone to jail, have gotten all problems fixed quickly, and usually gotten credit or some reward even if not requested.
> Hello, I have inadvertently found a security issue in your product, it allows you to do XXX which is not expected. I am publishing this on my security blog in [48 hours / 5 days / 2 weeks].
Any time I have deviated from this process even a little the results have been much worse.

--
-- I was raised on the command line, bitch
Cry more please by TheRecklessWanderer · 2015-04-23 15:25 · Score: 1

Man I wish this guy would shut up. He didn't follow the rules but he still wants his money. Tough crap. Quit crying and move on.

--
Mean what you say...say what you mean.
Re:I didn't know: Responsible Disclosure policy by Anonymous Coward · 2015-04-23 15:34 · Score: 0

Many companies that do not have "Bug Bounty" programs consider requests for money in exchange for vulnerability disclosure extortion and will report such acts to law enforcement.
Even many "Bug Bounty" programs will only pay for the first report of a vulnerability and if the same issue is reported repeatedly while they fix it they will not pay out to anyone because they will assume that the vulnerability is already in the wild.
And some companies that have "Bug Bounty" programs rarely pay out for vulnerabilities that they do not know about, because the vulnerability reporters do not know if a given vulnerability has been reported in the past or not. This substantially reduces company costs.
Be sure to carefully read the terms of any "Bug Bounty" program BEFORE reporting vulnerabilities.
Vulnerability reporters also need to remember that in most cases they are at significant economic and negotiation disadvantage given current statutes in many countries.
Selling vulnerabilities and exploits to 3rd parties can also be a legal risk if the vulnerabilities can only use is to target a specific company where it is reasonably clear their only possible use is to damage a specific company.
See: https://www.eff.org/issues/coders/vulnerability-reporting-faq
for a lot more information on the issues involved.
That's easy by rev0lt · 2015-04-23 15:42 · Score: 1

Did he had a coupon?
cult by stridebird · 2015-04-23 17:10 · Score: 1

Groupon? Is that still a thing?
I don't think I have ever seen CSRF implemented right. Certainly not on Django. OK that's not XSS but still. There's a lot of cargo cult security out there.
Own fault by SuperDre · 2015-04-23 19:56 · Score: 1

Well even if it was exposed for a brief moment, it means it was exposed, so the only one he can blame is himself, he shouldn't even have talked about it 'privately' on that site..
He should just stop blaming Groupon and just stop acting like a crybaby, especially if he claims there are 30 other problems, so he can get money for those.
Reasonable by aaaaaaargh! · 2015-04-23 20:39 · Score: 1

Who wants to pay someone who calls himself "Brute Logic"?
If he'd called himself "dark wizard" he'd get his reward!
One way exit of the situation by Anonymous Coward · 2015-04-23 21:30 · Score: 0

Well, the Pentester should give them 1 month of finding and patching these bugs all by themselves and if they don't, he should make the POC available freely on the web (without disclosing where he will post it initially). If they would like to know what these bugs are, they need to hire him to patch them.
If they are going to wait until he make them public, then they will rely on Google to index the source (usually takes 1 week but may not happen at all).
4chan by Lehk228 · 2015-04-23 23:22 · Score: 1

fuck it, just post the details on /b/ and make a bowl of popcorn

--
Snowden and Manning are heroes.
Funny morality by Anonymous Coward · 2015-04-24 00:59 · Score: 0

So where was groupons noble policy when they launched flawed website system in first place, placing all their customers at risk.. Pay up...
Good researcher poor businessman by Anonymous Coward · 2015-04-24 04:23 · Score: 0

It happens, he got screwed, get over with. Live and learn; hope he learned something, now go research some more and ask for $ to maximize your payout for hard work. Use the same head you used to research the bugs to negotiate your bounty. Why the hell are you asking them, instead of telling them how much you want?
Article Only by bobmajdakjr · 2015-04-24 06:02 · Score: 1

if you read nothing but the article here on site it sounds like someone did unsolicited work and expected compensation with no previous arrangement of payment. that is what we call a dick move.
1. Re:Article Only by david_thornley · 2015-04-24 08:53 · Score: 1
  
  That would be a dick move. Instead, he expected the bug bounty Groupon had advertised for reporting bugs to them and not talking about them until Groupon can fix them. However, by making the knowledge public too early, he violated the bounty policy.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes