Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Bug Security The Almighty Buck

Groupon Refuses To Pay Security Expert Who Found Serious XSS Site Bugs 148

Mark Wilson writes: Bounty programs benefit everyone. Companies like Microsoft get help from security experts, customers gain improved security, and those who discover and report vulnerabilities reap the rewards financially. Or at least that's how things are supposed to work. Having reported a series of security problems to discount and deal site Groupon, security researcher Brute Logic from XSSposed.org was expecting a pay-out — but the site refuses to give up the cash. In all, Brute Logic reported more than 30 security issues with Groupon's site, but the company cites its Responsible Disclosure policy as the reason for not handing over the cash.
This discussion has been archived. No new comments can be posted.

Groupon Refuses To Pay Security Expert Who Found Serious XSS Site Bugs

Comments Filter:
  • by Anonymous Coward
    Should have made 30 separate submissions from 30 separate e-mail addresses.
    • Note to self ... (Score:3, Insightful)

      by Anonymous Coward

      ... next time sell info to hxkers

    • Re: (Score:2, Informative)

      by Anonymous Coward
      Yes, he did screw up: by getting things published on XSSposed.org before GroupOn fixed their issues.
      • Re:He screwed up. (Score:5, Insightful)

        by Sun ( 104778 ) on Thursday April 23, 2015 @09:38PM (#49542657) Homepage

        Yes, he did screw up: by getting things published on XSSposed.org before GroupOn fixed their issues.

        You mean "thing", right? Only one, only by mistake, only for a short period of time.

        I'm with the researcher on this one.

        Shachar

        • Re:He screwed up. (Score:5, Interesting)

          by Dutch Gun ( 899105 ) on Friday April 24, 2015 @06:23AM (#49544083)

          Except, his "one mistake" was bragging about his find to his buddies (the exploits were found and submitted, so there was no reason to do so), and Oops! it went public, obviously in a way that Groupon happened to spot it as well*. Now it's essentially out in the wild before a fix was in, however you want to spin it. That's the exact opposite of "responsible disclosure". If you tell someone else about an exploit, even in private, you no longer have control of that information. Groupon is, I think, making a point that they take the "responsible disclosure" part of that agreement seriously.

          Note in the article:

          He also points out that another company, Sucuri Security, was happy to pay out even after a tweet revealed some details of a security flaw in their product.

          Was this also by him, meaning this isn't the first time he's done this? Or one of his colleagues? How do you accidentally tweet about an undisclosed security disclosure? Is it too much to ask them to simply NOT blab about it to others in public forums? Either way, it learns like these guys need to learn how to keep their mouths shut about the vulnerabilities they discover until the fix is confirmed, that is, if they actually want a bounty. What the hell is so hard about NOT talking about a security exploit you've discovered? Ok, sort of a dick move by Groupon (no surprise), but it's hard for me to feel too sorry for this guy either.

          * My theory is that Groupon was actually emailed that the vulnerability was made public on XSSposed.org. If a company doesn't respond, XSSposed simply publishes the vulnerability and emails a notification to the webmaster, as they seem to be all about public exposure. This site also gives "rankings" to security researches, so there seems to be an incentive to share the details of an exploit before it's fixed with others on the site in order to get "credit" for the discovery (and this guy is that the top of the list), which seems like a really bad incentive.

        • by jythie ( 914043 )
          Even if 'only once, by mistake', he still did something that their disclosure rules explicitly said not to do or it invalided the process. It would be nice if they made an exception or were more understanding, but they are under no obligation and have every right to be pissed off, even if it was an accident.

          Think about when a company accidently puts an archive of customer details up on their download site. Even if they fix it quickly and it was an honest mistake, they still screwed up and people are goi
        • You mean "thing", right? Only one, only by mistake, only for a short period of time.

          you new to the internet? you can't expose something for a "short period of time". once it's posted, it lives on. anyone could have copied it. maybe you'd like to post your credit card card info for a "short period of time". you okay with that? it's only one "thing" after all.

          that's the whole point of a bounty system: to get folks to report bugs to you *privately* before they are discovered publicly. he got what he deserves. this is nothing more than sour grapes. he wanted his bounty, and the public fame of

          • by Sun ( 104778 )

            Let's tone down the ad-hominem, please.

            I brought forward the period of time the data was published as indication of intent. It does imply that the publication was unintended.

            There is a Hebrew proverb, "the law will puncture the mountain". It means strict adherence to the letter of the law, regardless of circumstances (or common sense).

            If you say "that's the agreement, and he violated it, however brief and however unintentional", then you still have to account to the 30 other vulnerabilities, for which Group

            • really? what message would paying him send?! if you find 3 vulnerabilities, go ahead and expose 2 of them. ruin our business. no problem. we'll pay you big bucks for the one you didn't release.

              and IMHO, why would they? he did them wrong, very wrong. they shouldn't reward him for that. consider it this way. the potential harm of publicly exposing the issue is massive. you seem to be claiming it's a zero. it isn't. it's a negative -1,000,000,000. 30 - 1,000,000,000 is a negative number. he's far from being in

  • by Karmashock ( 2415832 ) on Thursday April 23, 2015 @07:02PM (#49541853)

    They'll pay. The companies are unforgivably stingy about paying security bounties. Obviously a good person is not going to sell it to black hats. But why would anyone investigate security in these companies without compensation guarantees or the intent to exploit them for personal profit?

    Just stop even bothering to exploit them unless you interest is to sell the information to the highest bidder.

    Help companies that want help if you're a good person and exploit stupid companies if you're a bad person.

    Next issue.

    • by stephanruby ( 542433 ) on Thursday April 23, 2015 @08:06PM (#49542159)

      They'll pay.

      It depends.

      Groupon's entire business model is based on extracting as much cash as possible from desperate businesses, even if that means those businesses go bankrupt. Groupon doesn't fear bad PR. If it was afraid of bad press, it would have folded long ago.

      Also, 32 XSS security issues seems like a pretty high number. Personally, I wouldn't be surprised if those 32 XSS vulnerabilities traced back to a single problem. That being said, I have no idea if that's the case, or not.

      Either this researcher, or Groupon, would have to tell us what those 32 XSS vulnerabilities were in the first place, for us to really understand this situation.

      • by mysidia ( 191772 ) on Thursday April 23, 2015 @08:34PM (#49542317)

        Groupon doesn't fear bad PR. If it was afraid of bad press, it would have folded long ago.

        Possibly they don't mind bad press, but i'll bet they mind press that says their site is insecure, or that if you do businesses with them, "Your identity/credit card number might get stolen"

        That's probably why they got fussy and denied the researcher's bounty, when a note that a XSS bug (without substantive details) had been published.

        Sounds like maybe the "responsible disclosure" policy was about protecting the site's reputation, not their users' security.

        • by Cederic ( 9623 )

          To be fair, the report suggests they took the bug notification seriously and were discussing a patch.

          So they're trying to protect the site's reputation AND their users' security.

          • by mysidia ( 191772 )

            So they're trying to protect the site's reputation AND their users' security.

            Sure, they take the notification seriously and are patching by all apparent counts --- i'm not doubting that they are concerned about their site's security as well.

            That doesn't fully speak to the purpose of the "responsible disclosure" policy, and why they've decided to smite the researcher, however.

        • by stephanruby ( 542433 ) on Friday April 24, 2015 @02:00AM (#49543525)

          Groupon doesn't fear bad PR. If it was afraid of bad press, it would have folded long ago.

          Possibly they don't mind bad press, but i'll bet they mind press that says their site is insecure, or
          that if you do businesses with them, "Your identity/credit card number might get stolen"

          That's a good point.

          By the way, it was actually one single XSS flaw that was affecting 32 different web sites.

          At least, this is according to the researcher himself [twitter.com] (either that, or he made a mistake expressing himself, because his English is obviously not too good). So if that's really the case that it was only one flaw, but on 32 sites, then I really do have no sympathy for him.

          Once a vulnerability is disclosed for one site, it's obvious that hackers are going to try to exploit the same flaw on other sites owned by that same entity And by disclosing the vulnerability of two sites, a disclosure which was not accidental at all, it's obvious that he was pissed off that Groupon wouldn't commit to any minimum amount of money for his initial disclosure .

          • by stephanruby ( 542433 ) on Friday April 24, 2015 @02:21AM (#49543581)

            And continuing on my initial line of thought.

            I think that Groupon should assign $500 to that one security flaw disclosed by Brute_Logic (again, it can't be 32 flaws, because it's essentially only one flaw on 32 sites owned by Groupon), and then it should give that money as a donation to the EFF (under the pseudonym Brute_Logic).

            This would send the right message to future researchers who discover future flaws, that Groupon can be fair, but that researchers need to follow protocol if they really want the money to go to them.

      • If I can rip customer credit card information from them, that will matter. Are you going to buy a coupon from them if someone can steal your credit card information from their payment system?

        • Are you going to buy a coupon from them if someone can steal your credit card information from their payment system?

          People still buy from Targert

          • That's because no one knows if anyone was actually hurt because of that. All we know is that they had a breach.

            The banks likely ate most of the pain but they are suing target for the liability.

            So... no, companies don't just get away with that.

          • targets report 47 % drop in profits during the period immediately following... compared to i believe expectations of a year earlier.

    • Black hats are even less likely to pay. There's no binding contract to do an illegal thing, no lawyers, and many black hats will simply attack your systems if you try to deal with them, the only loss if they try to rip you off is to their "reputation", and in general they do not care or use a sock puppet anyway.

    • Obviously a good person is not going to sell it to black hats.

      You mean a law-abiding person. A good person does not prey on innocents, but Corporate America provides plenty of food satisfying any reasonable standard of sufficient sinfulness you care to set to qualify as an acceptable target.

      It's why movies that want robbers seem heroic often use casinos as targets: no one's going to shed a single tear when those who exploit people's dreams to fleece them get victimized in turn.

  • That's how problems get fixed these days isn't it? Let's do what we always do, and publicly shame groupon until they do the right thing. Internet DEPLOY!
  • by Anonymous Coward

    don't 'research' their sites for exploits and expect a financial return

  • by jklovanc ( 1603149 ) on Thursday April 23, 2015 @07:11PM (#49541891)

    Part of the requirements to be paid a bounty is following the "responsible disclosure policy". The submitter did not follow that policy and therefore did not get paid. It seems pretty simple.

    • Fair enough, but what about the other 30 or so bugs he reported?

      More to the point. Let's say they don't pay this time. Next time someone finds a bug that effects Groupon what incentive do they have to report it to Groupon? Why not sell it on a Blackhat forum for a big ol pile of bitcoins?
      • Fair enough, but what about the other 30 or so bugs he reported?

        By not following the rules he is disqualified from the program no matter how many bugs he submitted.

        Next time someone finds a bug that effects Groupon what incentive do they have to report it to Groupon?

        The same as before and they might actually follow the rules and get paid.

        • Re: (Score:3, Insightful)

          So the bottom line for you is about the letter of the law rather than the spirit of the law?

          If the 30 other bugs are forfeit because of a procedural mistake that only applied to one of the bugs, the next infosec researcher won't report 30 bugs. They will report them one at a time in an effort to maximize their rewards. The vulnerabilities will stay in the wild longer, the effectiveness of whole effort behind posting bounties is reduced.

          Hunting for bugs sometimes requires consulting with others in the
          • The other issue are the 30 additional bugs just permutations of the bug that was published?

            • That's a good point, at this point it's unclear how like (or unlike) the reported bugs were.

              None the less I think it wiser to reward the good intent rather than punish on a technicality.
              • Then there is the alternate scenario.
                1. Find bug.
                2. Report to Groupon.
                3. Publish on group just long enough to get noticed and replicated.
                4. Garner publicity for finding bug.
                5. Groupon deny bounty
                6. Garner more publicity from controversy.

                It might not be as innocent as they make it out to be. For some the notoriety is more important than the money.

        • Groupon had no intention of paying at all. If it weren't for that they would have just brought up some other technicality.

          Now security researchers know what they really need to do if they want to make money from Groupon vulnerabilities...

          • Groupon had no intention of paying at all.

            That is a generalized assumption based on one incident. You have no idea if they have paid out in other instances.

    • Re: (Score:1, Informative)

      by Anonymous Coward

      Nowhere in the policy does it say that the exploit cannot be published. But there is the magic pull the rug out from under everyone clause: "Notwithstanding any of the above, Groupon reserves the right to cancel or modify this program at any time and without notice."

      http://www.groupon.com/pages/responsible-disclosure

      The man should be paid. Fuck Groupon if they don't follow through and do the right thing.

      • Responsible Disclosure is a term of art which means informing the company confidentially and allowing them sufficient time to fix it before making it public.

      • by Stewie241 ( 1035724 ) on Thursday April 23, 2015 @07:48PM (#49542071)

        Well the policy does say that they will not pay out for "Bugs that have been disclosed publicly or to third parties (brokers) by you or others"

      • by Anonymous Coward
        If you're going to post the link you should probably read the policy:

        Similarly, we also have a number of issues for which we will generally not pay out a bounty - and which include anything that reports an act that is abusive or in bad faith. These include:
        ...
        - Bugs that have been disclosed publicly or to third parties (brokers) by you or others

    • Part of the requirements to be paid a bounty is following the "responsible disclosure policy". The submitter did not follow that policy and therefore did not get paid. It seems pretty simple.

      I always make it even simpler, by citing my Greedy Bastard Policy regardless of what anyone does.

  • by Anonymous Coward on Thursday April 23, 2015 @07:19PM (#49541929)

    There's a dispute between two parties. I realize "company bad!" is everyone's default, but there ARE two sides to this story, and presenting one side with a heavy editorial slant is rarely productive.

    Here are what appear to be the facts: A security researcher found several flaws on groupon.com. It's likely they were related, though how much so isn't directly stated. These flaws were reported to Groupon. At least some details related to at least some of the flaws were published online for a period of time, which may or may not be inadvertent. Groupon's stated policy is to reward researchers for reporting bugs, with a condition that the bugs are not also disclosed publicly before Groupon can address them. Groupon has declined to pay in this case because of the online posting.

    Whether this is reasonable or horrible depends on a number of factor, for which we have only one person's word. Was the publishing of details inadvertent, or deliberate? How long was the post up? Did the post describe all the flaws, or just some? How detailed was the online description? Was the post proactively taken down by the author because it was posted "in error," or was it in response to Groupon's policy? How long did Groupon have information about this vulnerability before the online disclosure? All of these would affect my belief about who's being unreasonable to whom here.

    • by Anonymous Coward

      It does make me question how Groupon knew he'd posted it if it was only up a few minutes. It would seem that if Groupon knew it had been posted, then even if it was only up for a minute, it's possible that very many interested parties could have noticed as well. Since they want to be able to fix the bugs and not have the bugs advertised to people who would exploit them, it makes sense to only pay a bounty when the expert was appropriately careful with the information. Even if you expose it for a moment, you

    • by Anonymous Coward

      Even if the researcher did the wrong thing, inadvertent / deliberate or not, Groupon should be smart enough to realise the impact to both their reputation and their future ability to have people participate in their program if they get a reputation for not paying. They should also be smart enough to understand that they may now become a target for people wanting to 'teach them a lesson' even if they are 100% in the right.

  • Apparently this isn't their only issue in attempting to prevent infections [consumerist.com].

  • Groupon should pay attention to Richard Pryor:

    www.youtube.com/watch?v=BcQ8zMOcV0E

  • Strange response (Score:4, Insightful)

    by lq_x_pl ( 822011 ) on Thursday April 23, 2015 @08:12PM (#49542181)
    I understand that he broke the terms. It is absolutely valid for Groupon to refuse to pay them.
    From a 'big picture' point of view though, this was a very bad move. Security researchers are a group with whom you usually want to be on good terms. Maybe just reduce the payout over the one published exploit - but don't stiff the guy. Even if Brute Logic is a nice guy (tm) that continues to operate in a benevolent fashion, other security researchers (and their less-benevolent counterparts) may see this and decide that it is open season on Groupon.
    • by Anonymous Coward

      I understand that he broke the terms. It is absolutely valid for Groupon to refuse to pay them. From a 'big picture' point of view though, this was a very bad move. Security researchers are a group with whom you usually want to be on good terms. Maybe just reduce the payout over the one published exploit - but don't stiff the guy. Even if Brute Logic is a nice guy (tm) that continues to operate in a benevolent fashion, other security researchers (and their less-benevolent counterparts) may see this and decide that it is open season on Groupon.

      ...in other words, it's reasonable to expect some members of the security research community to attack you if you upset them.

      Which is basically what gangs would do when people would refuse to pay for the "insurance" they would "offer".

      Posting anonymously, for obvious reasons.

      • by PRMan ( 959735 )
        You may not like it (maybe none of us do), but ask Sony how suing GeoHot worked out for them...
      • by lq_x_pl ( 822011 )
        You're twisting my words. That's ok though, I'd expect that from AC.
        I wasn't saying that the researchers are an organized gang of cyber-thugs cruisin' the web for sploits. I was just acknowledging how humans tend to act in groups. Most people see someone acting unfairly and say, "Gee, that's not nice."
        Others, if they identify strongly with the individual they think was wronged, may take a more active role in meting out karma.

        This is particularly problematic, if you've offered a bounty for holes in you

    • Even if Brute Logic is a nice guy (tm)

      Nah, hooligans (script kiddies evolved) wandering the net, the SPAM in your httpd log.

      Brute Logic @brutelogic Apr 22

      @r3nop0c @Groupon Of course their 30+ websites will @xssposed next times.

  • by Anonymous Coward

    I submitted a bug to a company who claimed to offer up to 100k, the company never responded to any of my emails and fixed the bug about a month later. It puts me in a tight spot, I can't disclose this now fixed bug (for many months) if I want to hold out any hope of getting paid. Makes it hard to name and shame them...

    262c603833189cbf75eba31d9dab1344544b4919

  • Responsible disclosure fails to satisfy security researchers who expect to be financially compensated, while reporting vulnerabilities to the vendor with the expectation of compensation might be viewed as extortion. While a market for vulnerabilities has developed, vulnerability commercialization remains a hotly debated topic tied to the concept of vulnerability disclosure. http://en.wikipedia.org/wiki/R... [wikipedia.org]

    Still fell Groupon has a debt to pay, unless he did indeed release the info before Groupon could act o

  • You're basically being paid to keep it private until patched. Brute Logic blew it.

    Groupon is an Open Source shop, and their staff is quite aware of good practices.

    Had Brute Logic not disclosed, I am sure a check would be on its way.

  • I have come across vulnerabilities in consumer products, banks, and governments (though no airplanes). Here is a policy I use and I have not yet gone to jail, have gotten all problems fixed quickly, and usually gotten credit or some reward even if not requested.

    > Hello, I have inadvertently found a security issue in your product, it allows you to do XXX which is not expected. I am publishing this on my security blog in [48 hours / 5 days / 2 weeks].

    Any time I have deviated from this process even

  • Man I wish this guy would shut up. He didn't follow the rules but he still wants his money. Tough crap. Quit crying and move on.
  • Did he had a coupon?
  • Groupon? Is that still a thing?

    I don't think I have ever seen CSRF implemented right. Certainly not on Django. OK that's not XSS but still. There's a lot of cargo cult security out there.

  • Well even if it was exposed for a brief moment, it means it was exposed, so the only one he can blame is himself, he shouldn't even have talked about it 'privately' on that site..
    He should just stop blaming Groupon and just stop acting like a crybaby, especially if he claims there are 30 other problems, so he can get money for those.

  • Who wants to pay someone who calls himself "Brute Logic"?

    If he'd called himself "dark wizard" he'd get his reward!

  • fuck it, just post the details on /b/ and make a bowl of popcorn

Real Programmers don't eat quiche. They eat Twinkies and Szechwan food.

Working...