Slashdot Mirror
Groupon Refuses To Pay Security Expert Who Found Serious XSS Site Bugs
Mark Wilson writes: Bounty programs benefit everyone. Companies like Microsoft get help from security experts, customers gain improved security, and those who discover and report vulnerabilities reap the rewards financially. Or at least that's how things are supposed to work. Having reported a series of security problems to discount and deal site Groupon, security researcher Brute Logic from XSSposed.org was expecting a pay-out — but the site refuses to give up the cash. In all, Brute Logic reported more than 30 security issues with Groupon's site, but the company cites its Responsible Disclosure policy as the reason for not handing over the cash.
I'm tired of these security experts holding these sites hostage. They should disclose these vulnerabilities to build a safer Internet, not to line their pockets.
If they really wanted to line their pockets, they'd sell them to the black hats.
Blindly disclosing the security holes to the internet at large makes the internet less safe in the short term since the bad guys can exploit the vulnerabilities before the good guys can fix them.
Groupon could hire people themselves to find the vulnerabilities, but they chose not to, instead they offer a bounty for security bugs, which apparently is very cost effective when they don't pay up, so it's a double win - no need to pay money to hire security experts when a community of bug hunters will do the work for a token bounty, and no reason to actually pay the bounty when you can find a technicality (if one out of 30 bugs were released in violation of their guidelines, why aren't they paying their promised bounty for the others?)
Part of the requirements to be paid a bounty is following the "responsible disclosure policy". The submitter did not follow that policy and therefore did not get paid. It seems pretty simple.
There's a dispute between two parties. I realize "company bad!" is everyone's default, but there ARE two sides to this story, and presenting one side with a heavy editorial slant is rarely productive.
Here are what appear to be the facts: A security researcher found several flaws on groupon.com. It's likely they were related, though how much so isn't directly stated. These flaws were reported to Groupon. At least some details related to at least some of the flaws were published online for a period of time, which may or may not be inadvertent. Groupon's stated policy is to reward researchers for reporting bugs, with a condition that the bugs are not also disclosed publicly before Groupon can address them. Groupon has declined to pay in this case because of the online posting.
Whether this is reasonable or horrible depends on a number of factor, for which we have only one person's word. Was the publishing of details inadvertent, or deliberate? How long was the post up? Did the post describe all the flaws, or just some? How detailed was the online description? Was the post proactively taken down by the author because it was posted "in error," or was it in response to Groupon's policy? How long did Groupon have information about this vulnerability before the online disclosure? All of these would affect my belief about who's being unreasonable to whom here.
They should disclose these vulnerabilities to build a safer Internet, not to line their pockets.
A safer internet doesn't put food on their table.
It's Groupon who is lining their pockets, when they could be building a safer internet by actually paying money for security. It's the reluctants of companies to take security seriously and spend time and money on it that leads to an unsafe internet.
And then we get dumb things like this "responsible disclosure program," which is really not about protecting users, but protecting Groupon's reputation. That is to say... it's a PR-protecting policy, not a policy for protecting users' safety. The unintentional disclosure they referenced regarding ONE of the 30 vulnerabilities didn't even reveal meaningful information about the vulnerability, therefore: Groupon was not concerned about exploit details being disclosed, but ONLY the fact that there was publicity being generated that said their site was insecure.
The researchers need the bounty proceeds to justify spending the time researching to discover them. It's the companies that are lining their pockets, by avoiding hiring people like these folks and other security professionals to do this ----- instead offering small bounties, only available if they DO discover something wrong after spending possibly thousands of hours beating around looking for something wrong.
very cost effective when they don't pay up, so it's a double win - no need to pay money to hire security experts when a community of bug hunters will do the work for a token bounty, and no reason to actually pay the bounty when you can find a technicality
Except this only works a couple times. Who is going to spend their time on Groupon now that they know they'll weasel out of paying?
I'm tired of these security experts holding these sites hostage. They should disclose these vulnerabilities to build a safer Internet, not to line their pockets.
If they really wanted to line their pockets, they'd sell them to the black hats.
Blindly disclosing the security holes to the internet at large makes the internet less safe in the short term since the bad guys can exploit the vulnerabilities before the good guys can fix them.
Groupon could hire people themselves to find the vulnerabilities, but they chose not to, instead they offer a bounty for security bugs, which apparently is very cost effective when they don't pay up, so it's a double win - no need to pay money to hire security experts when a community of bug hunters will do the work for a token bounty, and no reason to actually pay the bounty when you can find a technicality (if one out of 30 bugs were released in violation of their guidelines, why aren't they paying their promised bounty for the others?)
I'm sure they do have their own people looking for vulnerabilities, but if outsiders also find vulnerabilities they'd like to know.
As for the non-payout I doubt Groupon's motive is financial. Far more likely they really want to discourage people from disclosing the bugs publicly before they have a chance to fix them.
Whether Groupon is being reasonable is the question here.
I'm personally skeptical that the expert found 32 separate issues but suspect he found 32 variations on the same issue (he says 32 sites affected, which leads me to believe this is the case). If so the description of one issue could give an attacker enough of a clue to find the other 31 issues.
Then again it could be 32 legitimately unique issues, and the one vague disclosure might not have been enough to help an attacker. In that case Groupon should probably pay him out.
I stole this Sig
Yes, he did screw up: by getting things published on XSSposed.org before GroupOn fixed their issues.
You mean "thing", right? Only one, only by mistake, only for a short period of time.
I'm with the researcher on this one.
Shachar
And continuing on my initial line of thought.
I think that Groupon should assign $500 to that one security flaw disclosed by Brute_Logic (again, it can't be 32 flaws, because it's essentially only one flaw on 32 sites owned by Groupon), and then it should give that money as a donation to the EFF (under the pseudonym Brute_Logic).
This would send the right message to future researchers who discover future flaws, that Groupon can be fair, but that researchers need to follow protocol if they really want the money to go to them.
Except, his "one mistake" was bragging about his find to his buddies (the exploits were found and submitted, so there was no reason to do so), and Oops! it went public, obviously in a way that Groupon happened to spot it as well*. Now it's essentially out in the wild before a fix was in, however you want to spin it. That's the exact opposite of "responsible disclosure". If you tell someone else about an exploit, even in private, you no longer have control of that information. Groupon is, I think, making a point that they take the "responsible disclosure" part of that agreement seriously.
Note in the article:
He also points out that another company, Sucuri Security, was happy to pay out even after a tweet revealed some details of a security flaw in their product.
Was this also by him, meaning this isn't the first time he's done this? Or one of his colleagues? How do you accidentally tweet about an undisclosed security disclosure? Is it too much to ask them to simply NOT blab about it to others in public forums? Either way, it learns like these guys need to learn how to keep their mouths shut about the vulnerabilities they discover until the fix is confirmed, that is, if they actually want a bounty. What the hell is so hard about NOT talking about a security exploit you've discovered? Ok, sort of a dick move by Groupon (no surprise), but it's hard for me to feel too sorry for this guy either.
* My theory is that Groupon was actually emailed that the vulnerability was made public on XSSposed.org. If a company doesn't respond, XSSposed simply publishes the vulnerability and emails a notification to the webmaster, as they seem to be all about public exposure. This site also gives "rankings" to security researches, so there seems to be an incentive to share the details of an exploit before it's fixed with others on the site in order to get "credit" for the discovery (and this guy is that the top of the list), which seems like a really bad incentive.
Irony: Agile development has too much intertia to be abandoned now.