Slashdot Mirror
Groupon Refuses To Pay Security Expert Who Found Serious XSS Site Bugs
Mark Wilson writes: Bounty programs benefit everyone. Companies like Microsoft get help from security experts, customers gain improved security, and those who discover and report vulnerabilities reap the rewards financially. Or at least that's how things are supposed to work. Having reported a series of security problems to discount and deal site Groupon, security researcher Brute Logic from XSSposed.org was expecting a pay-out — but the site refuses to give up the cash. In all, Brute Logic reported more than 30 security issues with Groupon's site, but the company cites its Responsible Disclosure policy as the reason for not handing over the cash.
Should have made 30 separate submissions from 30 separate e-mail addresses.
They'll pay. The companies are unforgivably stingy about paying security bounties. Obviously a good person is not going to sell it to black hats. But why would anyone investigate security in these companies without compensation guarantees or the intent to exploit them for personal profit?
Just stop even bothering to exploit them unless you interest is to sell the information to the highest bidder.
Help companies that want help if you're a good person and exploit stupid companies if you're a bad person.
Next issue.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
That's how problems get fixed these days isn't it? Let's do what we always do, and publicly shame groupon until they do the right thing. Internet DEPLOY!
I'm tired of these security experts holding these sites hostage. They should disclose these vulnerabilities to build a safer Internet, not to line their pockets.
If they really wanted to line their pockets, they'd sell them to the black hats.
Blindly disclosing the security holes to the internet at large makes the internet less safe in the short term since the bad guys can exploit the vulnerabilities before the good guys can fix them.
Groupon could hire people themselves to find the vulnerabilities, but they chose not to, instead they offer a bounty for security bugs, which apparently is very cost effective when they don't pay up, so it's a double win - no need to pay money to hire security experts when a community of bug hunters will do the work for a token bounty, and no reason to actually pay the bounty when you can find a technicality (if one out of 30 bugs were released in violation of their guidelines, why aren't they paying their promised bounty for the others?)
don't 'research' their sites for exploits and expect a financial return
Part of the requirements to be paid a bounty is following the "responsible disclosure policy". The submitter did not follow that policy and therefore did not get paid. It seems pretty simple.
How did he hold it hostage? He disclosed the vulnerabilities to them privately before doing anything else. This wasn't a case of "shame them now, hope for a payout later". It was a case of "responsible disclose it privately, then do a stupid thing by disclosing it publicly before they've had a chance to pay you". As much as I don't like Groupon, I'm not sure which side of this disagreement I think is (most) in the wrong.
There's a dispute between two parties. I realize "company bad!" is everyone's default, but there ARE two sides to this story, and presenting one side with a heavy editorial slant is rarely productive.
Here are what appear to be the facts: A security researcher found several flaws on groupon.com. It's likely they were related, though how much so isn't directly stated. These flaws were reported to Groupon. At least some details related to at least some of the flaws were published online for a period of time, which may or may not be inadvertent. Groupon's stated policy is to reward researchers for reporting bugs, with a condition that the bugs are not also disclosed publicly before Groupon can address them. Groupon has declined to pay in this case because of the online posting.
Whether this is reasonable or horrible depends on a number of factor, for which we have only one person's word. Was the publishing of details inadvertent, or deliberate? How long was the post up? Did the post describe all the flaws, or just some? How detailed was the online description? Was the post proactively taken down by the author because it was posted "in error," or was it in response to Groupon's policy? How long did Groupon have information about this vulnerability before the online disclosure? All of these would affect my belief about who's being unreasonable to whom here.
Apparently this isn't their only issue in attempting to prevent infections.
They should disclose these vulnerabilities to build a safer Internet, not to line their pockets.
A safer internet doesn't put food on their table.
It's Groupon who is lining their pockets, when they could be building a safer internet by actually paying money for security. It's the reluctants of companies to take security seriously and spend time and money on it that leads to an unsafe internet.
And then we get dumb things like this "responsible disclosure program," which is really not about protecting users, but protecting Groupon's reputation. That is to say... it's a PR-protecting policy, not a policy for protecting users' safety. The unintentional disclosure they referenced regarding ONE of the 30 vulnerabilities didn't even reveal meaningful information about the vulnerability, therefore: Groupon was not concerned about exploit details being disclosed, but ONLY the fact that there was publicity being generated that said their site was insecure.
The researchers need the bounty proceeds to justify spending the time researching to discover them. It's the companies that are lining their pockets, by avoiding hiring people like these folks and other security professionals to do this ----- instead offering small bounties, only available if they DO discover something wrong after spending possibly thousands of hours beating around looking for something wrong.
Responsible Disclosure is a term of art which means informing the company confidentially and allowing them sufficient time to fix it before making it public.
very cost effective when they don't pay up, so it's a double win - no need to pay money to hire security experts when a community of bug hunters will do the work for a token bounty, and no reason to actually pay the bounty when you can find a technicality
Except this only works a couple times. Who is going to spend their time on Groupon now that they know they'll weasel out of paying?
... next time sell info to hxkers
Groupon should pay attention to Richard Pryor:
www.youtube.com/watch?v=BcQ8zMOcV0E
I understand that he broke the terms. It is absolutely valid for Groupon to refuse to pay them.
From a 'big picture' point of view though, this was a very bad move. Security researchers are a group with whom you usually want to be on good terms. Maybe just reduce the payout over the one published exploit - but don't stiff the guy. Even if Brute Logic is a nice guy (tm) that continues to operate in a benevolent fashion, other security researchers (and their less-benevolent counterparts) may see this and decide that it is open season on Groupon.
An internal system operation returned the error "The operation completed successfully.".
Security "experts" who do little more than run a pre-built set of scripts against websites. It's five minutes of work for them to roll the dice that they might get a payout. Even if the security firm invested serious time in developing the tools and scripts, their spamming their tests out and wanting a payday not commensurate with the scalability of their approach.
I'm trying to understand the use of the word 'moments'. It seems the article, which is clearly biased in favour of the security researcher, is trying to downplay the actual event. It is hard to really grasp exactly what happened here because the amount of time that the posting was live is not specifically mentioned. Generally, I would assume moments is about 10-15 seconds or less. However the following happened in those 'moments':
1. The issue was published
2. Somebody realized it was published in error (there is no indication of who)
3. Groupon somehow found out about this being posted
4. The article was removed
So you can give the benefit of the doubt and assume it was an accident. But as a security research you have to realize that making this sort of mistake can have serious repercussions. If Groupon somehow discovered it had been published, it isn't that unreasonable to assume that others had as well.
If they really wanted to line their pockets, they'd sell them to the black hats.
And who's to say that he doesn't have another three dozen that he knows about, but held back?
Please stand clear of the doors, por favor mantenganse alejado de las puertas
I'm tired of these security experts holding these sites hostage. They should disclose these vulnerabilities to build a safer Internet, not to line their pockets.
If they really wanted to line their pockets, they'd sell them to the black hats.
Blindly disclosing the security holes to the internet at large makes the internet less safe in the short term since the bad guys can exploit the vulnerabilities before the good guys can fix them.
Groupon could hire people themselves to find the vulnerabilities, but they chose not to, instead they offer a bounty for security bugs, which apparently is very cost effective when they don't pay up, so it's a double win - no need to pay money to hire security experts when a community of bug hunters will do the work for a token bounty, and no reason to actually pay the bounty when you can find a technicality (if one out of 30 bugs were released in violation of their guidelines, why aren't they paying their promised bounty for the others?)
I'm sure they do have their own people looking for vulnerabilities, but if outsiders also find vulnerabilities they'd like to know.
As for the non-payout I doubt Groupon's motive is financial. Far more likely they really want to discourage people from disclosing the bugs publicly before they have a chance to fix them.
Whether Groupon is being reasonable is the question here.
I'm personally skeptical that the expert found 32 separate issues but suspect he found 32 variations on the same issue (he says 32 sites affected, which leads me to believe this is the case). If so the description of one issue could give an attacker enough of a clue to find the other 31 issues.
Then again it could be 32 legitimately unique issues, and the one vague disclosure might not have been enough to help an attacker. In that case Groupon should probably pay him out.
I stole this Sig
I submitted a bug to a company who claimed to offer up to 100k, the company never responded to any of my emails and fixed the bug about a month later. It puts me in a tight spot, I can't disclose this now fixed bug (for many months) if I want to hold out any hope of getting paid. Makes it hard to name and shame them...
262c603833189cbf75eba31d9dab1344544b4919
If it's so easy then they really don't have an excuse and should be forced to pay. The work is important and it's been done. It needs to be paid for.
I don't get it. Someone please explain to the rest of us if there is either a verbal or written contract between security experts and website/merchanting/data corporations or business? Or is this some kind of tradition or unwritten corporate responsibility?
Don't be apathetic. Procrastinate!
(if one out of 30 bugs were released in violation of their guidelines, why aren't they paying their promised bounty for the others?)
Maybe there is only one bug and the remaining 29 are just trivial exploit variations of a single error. Of course, if that were true, it would help if Groupon actually explained that rather than hiding behind generalized and opaque "policy" reasons.
Responsible disclosure fails to satisfy security researchers who expect to be financially compensated, while reporting vulnerabilities to the vendor with the expectation of compensation might be viewed as extortion. While a market for vulnerabilities has developed, vulnerability commercialization remains a hotly debated topic tied to the concept of vulnerability disclosure. http://en.wikipedia.org/wiki/R...
Still fell Groupon has a debt to pay, unless he did indeed release the info before Groupon could act on the issues.
You're basically being paid to keep it private until patched. Brute Logic blew it.
Groupon is an Open Source shop, and their staff is quite aware of good practices.
Had Brute Logic not disclosed, I am sure a check would be on its way.
"To those who are overly cautious, everything is impossible. "
Full disclosure also encourages the vendors to fix their shitty code asap, and encourages a preemptive security conscious culture. These are good things.
I have come across vulnerabilities in consumer products, banks, and governments (though no airplanes). Here is a policy I use and I have not yet gone to jail, have gotten all problems fixed quickly, and usually gotten credit or some reward even if not requested.
> Hello, I have inadvertently found a security issue in your product, it allows you to do XXX which is not expected. I am publishing this on my security blog in [48 hours / 5 days / 2 weeks].
Any time I have deviated from this process even a little the results have been much worse.
-- I was raised on the command line, bitch
Man I wish this guy would shut up. He didn't follow the rules but he still wants his money. Tough crap. Quit crying and move on.
Mean what you say...say what you mean.
No he is saying experts will still participate in programs because it is not too much effort and possibility of a payday will keep them in the program, despite poor track record of these companies.
Obviously you would loose the best experts who will spend the time and have the expertise to find the most obscure vulnerabilities. If those researchers where not interested at all in the program ( too small bounty for the effort, groupon track record etc) then Groupon losses nothing by having stingy payment policies.
It might be 5 minute effort for a single application, for someone who is spending is whole time testing dozens of applications everyday, tweaking,refining the scripts etc. It might be a full time job for an in house expert and he will cost lot more than a bounty program.
I'm tired of these security experts holding these sites hostage. They should disclose these vulnerabilities to build a safer Internet, not to line their pockets.
If they really wanted to line their pockets, they'd sell them to ......
Groupon could hire people themselves to find the vulnerabilities, but they chose not to, instead they offer a bounty for security bugs, which apparently is very cost effective when they don't pay up, so it's a double win .......
I'm sure they do have their own people looking for vulnerabilities, but if outsiders also find vulnerabilities ....
Interesting...
Vulnerability testing is sometimes difficult from inside.
Companies have security policies that could make testing by employees quite difficult.
Testing from home is often excluded by company rules.
Network and hardware management also adds to this issue.
Laws are making it harder and harder for White hats to operate.
The issue of script rich "experts" hunting bounty is interesting.
First the bounty needs rules and pre disclosure rules need to be bounded in time.
Fixing it when I darn well want to is not no a working answer.
Script discovered flaws are likely industry standard flaws most with well known solutions.
A list of script triggered flaws that is as long as this tells me that the engineering
staff and management need to have their bonus packages reviewed. It seems
like a flawed culture. Non payment of the bounty is a symptom if the report
was held private for a fair length of time.
Some companies have "sat" on bugs and faults. The most famous list of faults
are enumerated in the security book written by Robert Morris. Almost none were fixed then
his son coded the Morris worm. That should have been the clue to the
industry but it was not. The response was mostly legal not technical which
is an inversion of the needs of national security where the laws of a nation
cannot protect from predators in other nations.
There is an astounding cognitive failure when a nation passes laws and fails to ...
to address the technical reach of those outside the reach of the law. Predator drones
are not an answer
This flawed protectionist mind set by many US TLAs is a problem.
Other nations have the same issue and should be filing bugs with vendors
left and right. Some nations might need a proxy for this but again
national laws could find these people acting as agents of a foreign government
to their loss of freedom.
Kafka is giggling.
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
Did he had a coupon?
Groupon? Is that still a thing?
I don't think I have ever seen CSRF implemented right. Certainly not on Django. OK that's not XSS but still. There's a lot of cargo cult security out there.
A:"What is this? You expect me to pay you $1,000 to fix one line of code, which took you less than 5 minutes to do?? I demand an itemized bill!
B: Takes back the bill and tears it up. Writes something on a fresh billing sheet and hands it to A.
A: (reading new billing aloud) "Item One. Fixing one line of code: $5. Item Two. Knowing which line to fix: $995."
Want to share your knowledge?
Well even if it was exposed for a brief moment, it means it was exposed, so the only one he can blame is himself, he shouldn't even have talked about it 'privately' on that site..
He should just stop blaming Groupon and just stop acting like a crybaby, especially if he claims there are 30 other problems, so he can get money for those.
http://www.groupon.com/pages/r...
Looks like other companies give out rewards. I did not know that.
So if you are a security expert, find something, report it and don't get paid then an implied contract is broken.
Don't be apathetic. Procrastinate!
Who wants to pay someone who calls himself "Brute Logic"?
If he'd called himself "dark wizard" he'd get his reward!
Oh, so you think that bad guys can't afford hiring people with skills, and can't afford to buy exploits on the black market?
Out in the real world, when you find a vulnerability, it is likely that someone somewhere is already exploiting it. When you give the company that caused the problem time to have their marketing people do damage control, you are also giving the bad guys time extra time to exploit the vulnerability. Meanwhile, the losers in that game are the people running the software. The only responsible thing to do is to warn the users to take precautions (such as not running the software, or only doing so behind a firewall), which will both hamper the bad guys AND force the company to fix it faster than marketing would otherwise allow them to.
It should thus not be a surprise to anyone that marketing people have defined "responsible disclosure" as "let the bad guys run wild while waiting for damage control", which is NOT responsible, and can hardly be labelled disclosure.
fuck it, just post the details on /b/ and make a bowl of popcorn
Snowden and Manning are heroes.
People who are careful to not publicly disclose the issue before it is fixed? Yeah, it was a mistake, but one Groupon takes rather seriously. This is not 'weaseling out', this is a legitimate gripe that they decided to call him on. They could have been more understanding and that would be nice of them, but their grievance is real and they should not be shamed into pretending it is not.
Especially since it appears sometimes bounty programs cost almost nothing to implement.
> then Groupon losses nothing by having stingy payment policies.
Unless those experts sell their exploit to the black market and a successful exploit is carried out against Groupon and it's customers. Then I'd say they have lost something.
Those who make peaceful vulnerability discovery impossible will make violent exploiting inevitable.
for one exploit that was refused, how is it legitimate to deny the bounty for the other 29?
i imagine they just made an enemy, or at least lost an ally, over 10k at most?
you how bad a hit they'd take if they had a theft of data? target claims that their data breach depressed their holiday profits by 47 percent...
i think groupon has got yearly profits in the billions range... and they're quibbling over a few thousand?
They definitely could have played it differently. The fact that the disclosure post was removed quickly may indicate wrongdoing, that he realized he messed up. So, fine, remove the disclosed vulnerabilities from the bounty, but still pay the bounty for the others. If he had submitted each issue separately they would have paid the others that he didn't disclose.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
if you read nothing but the article here on site it sounds like someone did unsolicited work and expected compensation with no previous arrangement of payment. that is what we call a dick move.
Depends. If the vendor intends to fix reported problems reasonably fast, then full disclosure gives the bad guys a boost up. If the vendor doesn't care about reported problems, it might light a fire under them. Knowing nothing about how Groupon addresses reported vulnerabilities, all I can say is that they can set bounty rules as they like, and people either will or won't look for vulnerabilities.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Groupon could hire people themselves to find the vulnerabilities, but they chose not to, instead they offer a bounty for security bugs, which apparently is very cost effective when they don't pay up, so it's a double win
maybe you aren't familiar with how bug bounties work. it's when a company pays a finder for *privately* reporting issues before they are discovered publicly. this guy did both. he reported it privately when went on to disclose it publicly. you think a company should reward someone for disclosing security vulnerabilities publicly before they have a chance to fix them?
Except this only works a couple times. Who is going to spend their time on Groupon now that they know they'll weasel out of paying?
groupon would rather bugs not be reported at all than having them posted openly on the internet before they have a chance to fix them. anyone would. this guy did them a major disservice.
for one exploit that was refused, how is it legitimate to deny the bounty for the other 29?
because life's not completely disconnected like that?
because you don't pay someone that publicly exposed exploits without giving you a chance to fix them.
say you paid a guy to mow your lawn for $20 and wash your car for $20. he does a fine job mowing your lawn, but in the process of washing your car he breaks your windshield and slits your tires (maliciously, and offering no compensation). would you pay him for mowing your lawn?
he fact that the disclosure post was removed quickly may indicate wrongdoing, that he realized he messed up. So, fine, remove the disclosed vulnerabilities from the bounty, but still pay the bounty for the others.
sometimes when you f-up you just have to eat it. accept responsibility and the outcome of YOUR mistake. behavior like this is a side affect of the having parents that never let your learn lessons the hard way. lost your iPod little Johnny? we'll buy you a new one. i don't blame him for being upset. anyone would be upset. but it's his mistake.
If he had submitted each issue separately they would have paid the others that he didn't disclose.
almost certainly not. they are not paying him because he did something very irresponsible. he did exactly what that the bounty program is trying to prevent. it's like if you offered someone $20 to wash your car, which they did, but then threw a bucket of mud on it. would you still pay them the $20?
it's like if you offered someone $20 to wash your car, which they did, but then threw a bucket of mud on it. would you still pay them the $20?
Uh, no. But if I got 30 washes, and the car was cleaned 29 times, and one time it had mud on it, I would still pay for the other 29 washes.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
The short answer is yes. If there is an agreement in place to pay for work performed, then you pay. That doesn't prevent you from taking separate action for the malicious activity. Now, if the payment arrangement for $40 upon completion of both.. you'd have an argument.
Perhaps, but then vendors who routinely do not fix their shit promptly will have bad reputations from repeated breaches, as it should be. Hopefully such companies go out of business.
Of course, they can set them as they please, but I can also criticize 'ethical hacker' policies that are too soft on vendors.
Selling it the black market is only half the part, not getting caught is the important part. More damage a exploit can cause Groupon ( i.e. higher the value on the market) more the chances law enforcement will be knocking on your door.
Companies like Groupon face a higher risk from dissatisfied(or the dumb ones exposed to phishing/social engineering ) employees leaking information than from external exploits, so they are screwed anyway if white hats/employees start acting in bad faith. They are counting on good faith of majority of the players and possibility of punishment via law enforcement to save them.
it seems it was 1 exploit that affected 30 systems. so the point is moot.
as an exercise though, yes, yes you do.
if this were a business decision/transaction at all you would.
if it were 30 separate exploits, you would pay him for 30 exploits, and charge him damages for the 1 that got away. Penalties or what have you. And you do this because it's more orderly that way, and you're trying to be aboveboard with this individual and with the community as a whole. For future collaboration.
You do it so the guy has no story to spread, about how you don't honor your agreement... because again, it's business.
In your example, this is one of the only guys that mows lawns in your area, and guess what, the lawn mower's association is pretty fucking tight-knit... and it's all illegals, so that 20 buck sounds about right.
You've asked around, and anybody else that you want to do it will cost 40 buck a week to do the same thing that these guys wanted 20 buck per mowing wanted. and they only had to come around every other week. Oh, and guess what, you're in california, and this grass is dry as fuck. And if fire ever comes back and you've got an unmowed lawn, your headquarters is going to burn the hell down.
this would be a parallel situation. you suck it up, and treat it like business, and show that you'll pay for work done, and honor your word, otherwise you're out bigger money one way or the other.
if it were 30 separate exploits, you would pay him for 30 exploits, and charge him damages for the 1 that got away.
man, life, you're new to it huh? good luck when you leave you mom's basement and discover that's not how life works.
:) depends on the business you're in. but it's how it's done in at least one fast-paced industry... trucking... and probably a shit-ton more than that.
you get a relationship, you forgo the contract. payment on delivery, and you don't quibble over the small stuff. establish terms, and if the other guy delivers on time, you pay him, if he says you owe him money, you verify it, and you pay him. If he fucks something up, he gives you a discount on the invoice or he pays for it. You don't fucking jeopardize your relationship over... what certainly amounts to less than a fucking percent of your operating costs.
and yes, you get pay, because the other guy delivered on 30 things, and if you quibble over one, you quibble over one. But you do it above board, because you're both making money out of the relationship, and it's retarded to jeopardize the future profits for... a pittance.