Slashdot Mirror
Groupon Refuses To Pay Security Expert Who Found Serious XSS Site Bugs
Mark Wilson writes: Bounty programs benefit everyone. Companies like Microsoft get help from security experts, customers gain improved security, and those who discover and report vulnerabilities reap the rewards financially. Or at least that's how things are supposed to work. Having reported a series of security problems to discount and deal site Groupon, security researcher Brute Logic from XSSposed.org was expecting a pay-out — but the site refuses to give up the cash. In all, Brute Logic reported more than 30 security issues with Groupon's site, but the company cites its Responsible Disclosure policy as the reason for not handing over the cash.
They'll pay. The companies are unforgivably stingy about paying security bounties. Obviously a good person is not going to sell it to black hats. But why would anyone investigate security in these companies without compensation guarantees or the intent to exploit them for personal profit?
Just stop even bothering to exploit them unless you interest is to sell the information to the highest bidder.
Help companies that want help if you're a good person and exploit stupid companies if you're a bad person.
Next issue.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
I'm tired of these security experts holding these sites hostage. They should disclose these vulnerabilities to build a safer Internet, not to line their pockets.
If they really wanted to line their pockets, they'd sell them to the black hats.
Blindly disclosing the security holes to the internet at large makes the internet less safe in the short term since the bad guys can exploit the vulnerabilities before the good guys can fix them.
Groupon could hire people themselves to find the vulnerabilities, but they chose not to, instead they offer a bounty for security bugs, which apparently is very cost effective when they don't pay up, so it's a double win - no need to pay money to hire security experts when a community of bug hunters will do the work for a token bounty, and no reason to actually pay the bounty when you can find a technicality (if one out of 30 bugs were released in violation of their guidelines, why aren't they paying their promised bounty for the others?)
Part of the requirements to be paid a bounty is following the "responsible disclosure policy". The submitter did not follow that policy and therefore did not get paid. It seems pretty simple.
There's a dispute between two parties. I realize "company bad!" is everyone's default, but there ARE two sides to this story, and presenting one side with a heavy editorial slant is rarely productive.
Here are what appear to be the facts: A security researcher found several flaws on groupon.com. It's likely they were related, though how much so isn't directly stated. These flaws were reported to Groupon. At least some details related to at least some of the flaws were published online for a period of time, which may or may not be inadvertent. Groupon's stated policy is to reward researchers for reporting bugs, with a condition that the bugs are not also disclosed publicly before Groupon can address them. Groupon has declined to pay in this case because of the online posting.
Whether this is reasonable or horrible depends on a number of factor, for which we have only one person's word. Was the publishing of details inadvertent, or deliberate? How long was the post up? Did the post describe all the flaws, or just some? How detailed was the online description? Was the post proactively taken down by the author because it was posted "in error," or was it in response to Groupon's policy? How long did Groupon have information about this vulnerability before the online disclosure? All of these would affect my belief about who's being unreasonable to whom here.
They should disclose these vulnerabilities to build a safer Internet, not to line their pockets.
A safer internet doesn't put food on their table.
It's Groupon who is lining their pockets, when they could be building a safer internet by actually paying money for security. It's the reluctants of companies to take security seriously and spend time and money on it that leads to an unsafe internet.
And then we get dumb things like this "responsible disclosure program," which is really not about protecting users, but protecting Groupon's reputation. That is to say... it's a PR-protecting policy, not a policy for protecting users' safety. The unintentional disclosure they referenced regarding ONE of the 30 vulnerabilities didn't even reveal meaningful information about the vulnerability, therefore: Groupon was not concerned about exploit details being disclosed, but ONLY the fact that there was publicity being generated that said their site was insecure.
The researchers need the bounty proceeds to justify spending the time researching to discover them. It's the companies that are lining their pockets, by avoiding hiring people like these folks and other security professionals to do this ----- instead offering small bounties, only available if they DO discover something wrong after spending possibly thousands of hours beating around looking for something wrong.
very cost effective when they don't pay up, so it's a double win - no need to pay money to hire security experts when a community of bug hunters will do the work for a token bounty, and no reason to actually pay the bounty when you can find a technicality
Except this only works a couple times. Who is going to spend their time on Groupon now that they know they'll weasel out of paying?
... next time sell info to hxkers
I understand that he broke the terms. It is absolutely valid for Groupon to refuse to pay them.
From a 'big picture' point of view though, this was a very bad move. Security researchers are a group with whom you usually want to be on good terms. Maybe just reduce the payout over the one published exploit - but don't stiff the guy. Even if Brute Logic is a nice guy (tm) that continues to operate in a benevolent fashion, other security researchers (and their less-benevolent counterparts) may see this and decide that it is open season on Groupon.
An internal system operation returned the error "The operation completed successfully.".
I'm trying to understand the use of the word 'moments'. It seems the article, which is clearly biased in favour of the security researcher, is trying to downplay the actual event. It is hard to really grasp exactly what happened here because the amount of time that the posting was live is not specifically mentioned. Generally, I would assume moments is about 10-15 seconds or less. However the following happened in those 'moments':
1. The issue was published
2. Somebody realized it was published in error (there is no indication of who)
3. Groupon somehow found out about this being posted
4. The article was removed
So you can give the benefit of the doubt and assume it was an accident. But as a security research you have to realize that making this sort of mistake can have serious repercussions. If Groupon somehow discovered it had been published, it isn't that unreasonable to assume that others had as well.
I'm tired of these security experts holding these sites hostage. They should disclose these vulnerabilities to build a safer Internet, not to line their pockets.
If they really wanted to line their pockets, they'd sell them to the black hats.
Blindly disclosing the security holes to the internet at large makes the internet less safe in the short term since the bad guys can exploit the vulnerabilities before the good guys can fix them.
Groupon could hire people themselves to find the vulnerabilities, but they chose not to, instead they offer a bounty for security bugs, which apparently is very cost effective when they don't pay up, so it's a double win - no need to pay money to hire security experts when a community of bug hunters will do the work for a token bounty, and no reason to actually pay the bounty when you can find a technicality (if one out of 30 bugs were released in violation of their guidelines, why aren't they paying their promised bounty for the others?)
I'm sure they do have their own people looking for vulnerabilities, but if outsiders also find vulnerabilities they'd like to know.
As for the non-payout I doubt Groupon's motive is financial. Far more likely they really want to discourage people from disclosing the bugs publicly before they have a chance to fix them.
Whether Groupon is being reasonable is the question here.
I'm personally skeptical that the expert found 32 separate issues but suspect he found 32 variations on the same issue (he says 32 sites affected, which leads me to believe this is the case). If so the description of one issue could give an attacker enough of a clue to find the other 31 issues.
Then again it could be 32 legitimately unique issues, and the one vague disclosure might not have been enough to help an attacker. In that case Groupon should probably pay him out.
I stole this Sig
Yes, he did screw up: by getting things published on XSSposed.org before GroupOn fixed their issues.
(if one out of 30 bugs were released in violation of their guidelines, why aren't they paying their promised bounty for the others?)
Maybe there is only one bug and the remaining 29 are just trivial exploit variations of a single error. Of course, if that were true, it would help if Groupon actually explained that rather than hiding behind generalized and opaque "policy" reasons.
Yes, he did screw up: by getting things published on XSSposed.org before GroupOn fixed their issues.
You mean "thing", right? Only one, only by mistake, only for a short period of time.
I'm with the researcher on this one.
Shachar
Full disclosure also encourages the vendors to fix their shitty code asap, and encourages a preemptive security conscious culture. These are good things.
I'm tired of these security experts holding these sites hostage. They should disclose these vulnerabilities to build a safer Internet, not to line their pockets.
If they really wanted to line their pockets, they'd sell them to ......
Groupon could hire people themselves to find the vulnerabilities, but they chose not to, instead they offer a bounty for security bugs, which apparently is very cost effective when they don't pay up, so it's a double win .......
I'm sure they do have their own people looking for vulnerabilities, but if outsiders also find vulnerabilities ....
Interesting...
Vulnerability testing is sometimes difficult from inside.
Companies have security policies that could make testing by employees quite difficult.
Testing from home is often excluded by company rules.
Network and hardware management also adds to this issue.
Laws are making it harder and harder for White hats to operate.
The issue of script rich "experts" hunting bounty is interesting.
First the bounty needs rules and pre disclosure rules need to be bounded in time.
Fixing it when I darn well want to is not no a working answer.
Script discovered flaws are likely industry standard flaws most with well known solutions.
A list of script triggered flaws that is as long as this tells me that the engineering
staff and management need to have their bonus packages reviewed. It seems
like a flawed culture. Non payment of the bounty is a symptom if the report
was held private for a fair length of time.
Some companies have "sat" on bugs and faults. The most famous list of faults
are enumerated in the security book written by Robert Morris. Almost none were fixed then
his son coded the Morris worm. That should have been the clue to the
industry but it was not. The response was mostly legal not technical which
is an inversion of the needs of national security where the laws of a nation
cannot protect from predators in other nations.
There is an astounding cognitive failure when a nation passes laws and fails to ...
to address the technical reach of those outside the reach of the law. Predator drones
are not an answer
This flawed protectionist mind set by many US TLAs is a problem.
Other nations have the same issue and should be filing bugs with vendors
left and right. Some nations might need a proxy for this but again
national laws could find these people acting as agents of a foreign government
to their loss of freedom.
Kafka is giggling.
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
Except, his "one mistake" was bragging about his find to his buddies (the exploits were found and submitted, so there was no reason to do so), and Oops! it went public, obviously in a way that Groupon happened to spot it as well*. Now it's essentially out in the wild before a fix was in, however you want to spin it. That's the exact opposite of "responsible disclosure". If you tell someone else about an exploit, even in private, you no longer have control of that information. Groupon is, I think, making a point that they take the "responsible disclosure" part of that agreement seriously.
Note in the article:
He also points out that another company, Sucuri Security, was happy to pay out even after a tweet revealed some details of a security flaw in their product.
Was this also by him, meaning this isn't the first time he's done this? Or one of his colleagues? How do you accidentally tweet about an undisclosed security disclosure? Is it too much to ask them to simply NOT blab about it to others in public forums? Either way, it learns like these guys need to learn how to keep their mouths shut about the vulnerabilities they discover until the fix is confirmed, that is, if they actually want a bounty. What the hell is so hard about NOT talking about a security exploit you've discovered? Ok, sort of a dick move by Groupon (no surprise), but it's hard for me to feel too sorry for this guy either.
* My theory is that Groupon was actually emailed that the vulnerability was made public on XSSposed.org. If a company doesn't respond, XSSposed simply publishes the vulnerability and emails a notification to the webmaster, as they seem to be all about public exposure. This site also gives "rankings" to security researches, so there seems to be an incentive to share the details of an exploit before it's fixed with others on the site in order to get "credit" for the discovery (and this guy is that the top of the list), which seems like a really bad incentive.
Irony: Agile development has too much intertia to be abandoned now.
Especially since it appears sometimes bounty programs cost almost nothing to implement.