Groupon refuses to pay security expert who found serious XSS site bugs
Bounty programs benefit everyone. Companies like Microsoft get help from security experts, customers gain improved security, and those who discover and report vulnerabilities reap the rewards financially. Or at least that's how things are supposed to work.
Having reported a series of security problems to discount and deal site Groupon, security researcher Brute Logic from XSSposed.org was expecting a pay-out -- but the site refuses to stump up the cash. In all, Brute Logic reported more than 30 security issues with Groupon's site, but the company cites its Responsible Disclosure policy as the reason for not handing over the cash.
The story starts a few days ago when Brute Logic discovered 32 XSS (cross-site scripting) issues affecting Groupon. He says they were particularly serious as they existed at the root of the site and could be easily exploited with a malicious URL. Brute Logic says that the security issue is all the more serious because Groupon stores credit card details, and it would be incredibly easy to craft a spoof Groupon-related URL to trick victims into visiting a fake site.
On April 17 he contacted Groupon to report the problems and heard back almost immediately with a note saying that the company would investigate and report back shortly. The security team then got back saying that it has managed to isolate the issue and would be back in touch once a patch has been produced.
Brute Logic enquired about the level of financial reward that might be offered, and Groupon responded by saying that the bounty was calculated on a case by case basis, promising to "circle back" with details of what could be offered in this instance.
As a contributor to XSSposed.org Brute Logic spoke with people at the site and a reference to one of the security issues ended up being published. This only appeared online for a few moments, and was removed after it was realized it had been published in error. But Groupon is using this as a reason for refusing to pay out.
Groupon's Bug Bounty Program terms say:
We value your input. When properly notified of a security issue we are committed to working with you to understand and remediate verified problems. If you believe you find an issue on our site, we encourage you to report it to us in a private and responsible way. In order to encourage this, we have established a reward program which will pay a bounty for verifiable security issues reported to us through the proper channel.
Brute Logic argues that an additional 30 problems still existed and very scant details of the security flaw were published for only a very short time. In a further email, Groupon said:
Unfortunately we won't be able to offer you a bounty for this submission. In the future we ask that you respect our responsible disclosure policy and not publicly disclose the vulnerability without properly notification. We noticed that you submitted the vulnerability to xssposed.org.
Understandably Brute Logic is not happy, as his tweets make clear:
— Brute Logic (@brutelogic) April 22, 2015
He also points out that another company, Sucuri Security, was happy to pay out even after a tweet revealed some details of a security flaw in their product.
Does Groupon's decision seem fair to you, or does it smack of wriggling out of making a payment on a technicality?