Groupon Refuses To Pay Security Expert Who Found Serious XSS Site Bugs 148
Mark Wilson writes: Bounty programs benefit everyone. Companies like Microsoft get help from security experts, customers gain improved security, and those who discover and report vulnerabilities reap the rewards financially. Or at least that's how things are supposed to work. Having reported a series of security problems to discount and deal site Groupon, security researcher Brute Logic from XSSposed.org was expecting a pay-out — but the site refuses to give up the cash. In all, Brute Logic reported more than 30 security issues with Groupon's site, but the company cites its Responsible Disclosure policy as the reason for not handing over the cash.
He screwed up. (Score:1)
Note to self ... (Score:3, Insightful)
... next time sell info to hxkers
Re: (Score:2, Informative)
Re:He screwed up. (Score:5, Insightful)
Yes, he did screw up: by getting things published on XSSposed.org before GroupOn fixed their issues.
You mean "thing", right? Only one, only by mistake, only for a short period of time.
I'm with the researcher on this one.
Shachar
Re:He screwed up. (Score:5, Interesting)
Except, his "one mistake" was bragging about his find to his buddies (the exploits were found and submitted, so there was no reason to do so), and Oops! it went public, obviously in a way that Groupon happened to spot it as well*. Now it's essentially out in the wild before a fix was in, however you want to spin it. That's the exact opposite of "responsible disclosure". If you tell someone else about an exploit, even in private, you no longer have control of that information. Groupon is, I think, making a point that they take the "responsible disclosure" part of that agreement seriously.
Note in the article:
He also points out that another company, Sucuri Security, was happy to pay out even after a tweet revealed some details of a security flaw in their product.
Was this also by him, meaning this isn't the first time he's done this? Or one of his colleagues? How do you accidentally tweet about an undisclosed security disclosure? Is it too much to ask them to simply NOT blab about it to others in public forums? Either way, it learns like these guys need to learn how to keep their mouths shut about the vulnerabilities they discover until the fix is confirmed, that is, if they actually want a bounty. What the hell is so hard about NOT talking about a security exploit you've discovered? Ok, sort of a dick move by Groupon (no surprise), but it's hard for me to feel too sorry for this guy either.
* My theory is that Groupon was actually emailed that the vulnerability was made public on XSSposed.org. If a company doesn't respond, XSSposed simply publishes the vulnerability and emails a notification to the webmaster, as they seem to be all about public exposure. This site also gives "rankings" to security researches, so there seems to be an incentive to share the details of an exploit before it's fixed with others on the site in order to get "credit" for the discovery (and this guy is that the top of the list), which seems like a really bad incentive.
Re: (Score:2)
Think about when a company accidently puts an archive of customer details up on their download site. Even if they fix it quickly and it was an honest mistake, they still screwed up and people are goi
Re: (Score:2)
You mean "thing", right? Only one, only by mistake, only for a short period of time.
you new to the internet? you can't expose something for a "short period of time". once it's posted, it lives on. anyone could have copied it. maybe you'd like to post your credit card card info for a "short period of time". you okay with that? it's only one "thing" after all.
that's the whole point of a bounty system: to get folks to report bugs to you *privately* before they are discovered publicly. he got what he deserves. this is nothing more than sour grapes. he wanted his bounty, and the public fame of
Re: (Score:2)
Let's tone down the ad-hominem, please.
I brought forward the period of time the data was published as indication of intent. It does imply that the publication was unintended.
There is a Hebrew proverb, "the law will puncture the mountain". It means strict adherence to the letter of the law, regardless of circumstances (or common sense).
If you say "that's the agreement, and he violated it, however brief and however unintentional", then you still have to account to the 30 other vulnerabilities, for which Group
Re: (Score:2)
really? what message would paying him send?! if you find 3 vulnerabilities, go ahead and expose 2 of them. ruin our business. no problem. we'll pay you big bucks for the one you didn't release.
and IMHO, why would they? he did them wrong, very wrong. they shouldn't reward him for that. consider it this way. the potential harm of publicly exposing the issue is massive. you seem to be claiming it's a zero. it isn't. it's a negative -1,000,000,000. 30 - 1,000,000,000 is a negative number. he's far from being in
Sell it to black hats then... (Score:4, Insightful)
They'll pay. The companies are unforgivably stingy about paying security bounties. Obviously a good person is not going to sell it to black hats. But why would anyone investigate security in these companies without compensation guarantees or the intent to exploit them for personal profit?
Just stop even bothering to exploit them unless you interest is to sell the information to the highest bidder.
Help companies that want help if you're a good person and exploit stupid companies if you're a bad person.
Next issue.
Re:Sell it to black hats then... (Score:4, Informative)
They'll pay.
It depends.
Groupon's entire business model is based on extracting as much cash as possible from desperate businesses, even if that means those businesses go bankrupt. Groupon doesn't fear bad PR. If it was afraid of bad press, it would have folded long ago.
Also, 32 XSS security issues seems like a pretty high number. Personally, I wouldn't be surprised if those 32 XSS vulnerabilities traced back to a single problem. That being said, I have no idea if that's the case, or not.
Either this researcher, or Groupon, would have to tell us what those 32 XSS vulnerabilities were in the first place, for us to really understand this situation.
Re:Sell it to black hats then... (Score:4, Insightful)
Groupon doesn't fear bad PR. If it was afraid of bad press, it would have folded long ago.
Possibly they don't mind bad press, but i'll bet they mind press that says their site is insecure, or that if you do businesses with them, "Your identity/credit card number might get stolen"
That's probably why they got fussy and denied the researcher's bounty, when a note that a XSS bug (without substantive details) had been published.
Sounds like maybe the "responsible disclosure" policy was about protecting the site's reputation, not their users' security.
Re: (Score:3)
To be fair, the report suggests they took the bug notification seriously and were discussing a patch.
So they're trying to protect the site's reputation AND their users' security.
Re: (Score:2)
So they're trying to protect the site's reputation AND their users' security.
Sure, they take the notification seriously and are patching by all apparent counts --- i'm not doubting that they are concerned about their site's security as well.
That doesn't fully speak to the purpose of the "responsible disclosure" policy, and why they've decided to smite the researcher, however.
Re:Sell it to black hats then... (Score:4, Interesting)
Groupon doesn't fear bad PR. If it was afraid of bad press, it would have folded long ago.
Possibly they don't mind bad press, but i'll bet they mind press that says their site is insecure, or
that if you do businesses with them, "Your identity/credit card number might get stolen"
That's a good point.
By the way, it was actually one single XSS flaw that was affecting 32 different web sites.
At least, this is according to the researcher himself [twitter.com] (either that, or he made a mistake expressing himself, because his English is obviously not too good). So if that's really the case that it was only one flaw, but on 32 sites, then I really do have no sympathy for him.
Once a vulnerability is disclosed for one site, it's obvious that hackers are going to try to exploit the same flaw on other sites owned by that same entity And by disclosing the vulnerability of two sites, a disclosure which was not accidental at all, it's obvious that he was pissed off that Groupon wouldn't commit to any minimum amount of money for his initial disclosure .
Re:Sell it to black hats then... (Score:5, Insightful)
And continuing on my initial line of thought.
I think that Groupon should assign $500 to that one security flaw disclosed by Brute_Logic (again, it can't be 32 flaws, because it's essentially only one flaw on 32 sites owned by Groupon), and then it should give that money as a donation to the EFF (under the pseudonym Brute_Logic).
This would send the right message to future researchers who discover future flaws, that Groupon can be fair, but that researchers need to follow protocol if they really want the money to go to them.
Re: (Score:2)
If I can rip customer credit card information from them, that will matter. Are you going to buy a coupon from them if someone can steal your credit card information from their payment system?
Re: (Score:2)
Are you going to buy a coupon from them if someone can steal your credit card information from their payment system?
People still buy from Targert
Re: (Score:2)
That's because no one knows if anyone was actually hurt because of that. All we know is that they had a breach.
The banks likely ate most of the pain but they are suing target for the liability.
So... no, companies don't just get away with that.
Re: (Score:2)
targets report 47 % drop in profits during the period immediately following... compared to i believe expectations of a year earlier.
Re: (Score:2)
Black hats are even less likely to pay. There's no binding contract to do an illegal thing, no lawyers, and many black hats will simply attack your systems if you try to deal with them, the only loss if they try to rip you off is to their "reputation", and in general they do not care or use a sock puppet anyway.
Re:Sell it to black hats then... (Score:4, Informative)
> Black hats are not some cartoonish sinister force
I've worked with both white hat and black hat crackers. Most black hat crackers, by an overwhelming majority, are an _very_ cartoonish. That cartoonish and mostly incompetent majority does not pay their bills, they do not protect the confidentiality of their targets or of their colleagues, they violate their agreements, and they will attack the accounts and systems of the people who have already paid them once.
Are there black hat crackers who keep their deals and their word? Yes, there are I can think of several I consider professional colleagues. They break laws, but they turn around and sell their services to vulnerable clients to shore up their defenses, and I applaud their work. I would expect them be willing to pay a modest sum for a zero-day exploit to add to their toolkit. But they're very much the exception. Go spend some time on the IRC chnnel "4chan" to get a much better sense of what the average black hat cracker is like.
Re: (Score:2)
You mean a law-abiding person. A good person does not prey on innocents, but Corporate America provides plenty of food satisfying any reasonable standard of sufficient sinfulness you care to set to qualify as an acceptable target.
It's why movies that want robbers seem heroic often use casinos as targets: no one's going to shed a single tear when those who exploit people's dreams to fleece them get victimized in turn.
Re: (Score:2)
This is the sort of mentality that lets people think it is okay to plant bombs to blow up police cars because you're mad about the vietnam war or something.
to which I can only respond with this:
https://www.youtube.com/watch?... [youtube.com]
Re: (Score:2)
Yes, only bad people would sell to black hats.
Public shaming! (Score:2, Funny)
Re: (Score:2)
IF they don't have a bug bounty (Score:1)
don't 'research' their sites for exploits and expect a financial return
Don't follw the rules don't get paid. (Score:5, Informative)
Part of the requirements to be paid a bounty is following the "responsible disclosure policy". The submitter did not follow that policy and therefore did not get paid. It seems pretty simple.
Re: (Score:1)
More to the point. Let's say they don't pay this time. Next time someone finds a bug that effects Groupon what incentive do they have to report it to Groupon? Why not sell it on a Blackhat forum for a big ol pile of bitcoins?
Re: (Score:2)
Fair enough, but what about the other 30 or so bugs he reported?
By not following the rules he is disqualified from the program no matter how many bugs he submitted.
Next time someone finds a bug that effects Groupon what incentive do they have to report it to Groupon?
The same as before and they might actually follow the rules and get paid.
Re: (Score:3, Insightful)
If the 30 other bugs are forfeit because of a procedural mistake that only applied to one of the bugs, the next infosec researcher won't report 30 bugs. They will report them one at a time in an effort to maximize their rewards. The vulnerabilities will stay in the wild longer, the effectiveness of whole effort behind posting bounties is reduced.
Hunting for bugs sometimes requires consulting with others in the
Re: (Score:2)
The other issue are the 30 additional bugs just permutations of the bug that was published?
Re: (Score:1)
None the less I think it wiser to reward the good intent rather than punish on a technicality.
Re: (Score:2)
Then there is the alternate scenario.
1. Find bug.
2. Report to Groupon.
3. Publish on group just long enough to get noticed and replicated.
4. Garner publicity for finding bug.
5. Groupon deny bounty
6. Garner more publicity from controversy.
It might not be as innocent as they make it out to be. For some the notoriety is more important than the money.
Re: (Score:2)
Groupon had no intention of paying at all. If it weren't for that they would have just brought up some other technicality.
Now security researchers know what they really need to do if they want to make money from Groupon vulnerabilities...
Re: (Score:2)
Groupon had no intention of paying at all.
That is a generalized assumption based on one incident. You have no idea if they have paid out in other instances.
Re: (Score:2)
Re: (Score:2)
You don't understand Karma.
The victim deserves whatever you do to them. For actions in previous lives. They are at -1 to start, because Karma.
Re: (Score:1, Informative)
Nowhere in the policy does it say that the exploit cannot be published. But there is the magic pull the rug out from under everyone clause: "Notwithstanding any of the above, Groupon reserves the right to cancel or modify this program at any time and without notice."
http://www.groupon.com/pages/responsible-disclosure
The man should be paid. Fuck Groupon if they don't follow through and do the right thing.
That's the definition of Responsible Disclosure (Score:2)
Responsible Disclosure is a term of art which means informing the company confidentially and allowing them sufficient time to fix it before making it public.
Re:Don't follw the rules don't get paid. (Score:4, Informative)
Well the policy does say that they will not pay out for "Bugs that have been disclosed publicly or to third parties (brokers) by you or others"
Re: (Score:1)
Similarly, we also have a number of issues for which we will generally not pay out a bounty - and which include anything that reports an act that is abusive or in bad faith. These include:
...
- Bugs that have been disclosed publicly or to third parties (brokers) by you or others
Re: (Score:1)
Part of the requirements to be paid a bounty is following the "responsible disclosure policy". The submitter did not follow that policy and therefore did not get paid. It seems pretty simple.
I always make it even simpler, by citing my Greedy Bastard Policy regardless of what anyone does.
Editorial slant much? (Score:5, Insightful)
There's a dispute between two parties. I realize "company bad!" is everyone's default, but there ARE two sides to this story, and presenting one side with a heavy editorial slant is rarely productive.
Here are what appear to be the facts: A security researcher found several flaws on groupon.com. It's likely they were related, though how much so isn't directly stated. These flaws were reported to Groupon. At least some details related to at least some of the flaws were published online for a period of time, which may or may not be inadvertent. Groupon's stated policy is to reward researchers for reporting bugs, with a condition that the bugs are not also disclosed publicly before Groupon can address them. Groupon has declined to pay in this case because of the online posting.
Whether this is reasonable or horrible depends on a number of factor, for which we have only one person's word. Was the publishing of details inadvertent, or deliberate? How long was the post up? Did the post describe all the flaws, or just some? How detailed was the online description? Was the post proactively taken down by the author because it was posted "in error," or was it in response to Groupon's policy? How long did Groupon have information about this vulnerability before the online disclosure? All of these would affect my belief about who's being unreasonable to whom here.
Re: (Score:1)
It does make me question how Groupon knew he'd posted it if it was only up a few minutes. It would seem that if Groupon knew it had been posted, then even if it was only up for a minute, it's possible that very many interested parties could have noticed as well. Since they want to be able to fix the bugs and not have the bugs advertised to people who would exploit them, it makes sense to only pay a bounty when the expert was appropriately careful with the information. Even if you expose it for a moment, you
Re: (Score:1)
Even if the researcher did the wrong thing, inadvertent / deliberate or not, Groupon should be smart enough to realise the impact to both their reputation and their future ability to have people participate in their program if they get a reputation for not paying. They should also be smart enough to understand that they may now become a target for people wanting to 'teach them a lesson' even if they are 100% in the right.
Trojan-like problems haunt Groupon (Score:2)
Apparently this isn't their only issue in attempting to prevent infections [consumerist.com].
Pay The Man! (Score:2)
Groupon should pay attention to Richard Pryor:
www.youtube.com/watch?v=BcQ8zMOcV0E
Strange response (Score:4, Insightful)
From a 'big picture' point of view though, this was a very bad move. Security researchers are a group with whom you usually want to be on good terms. Maybe just reduce the payout over the one published exploit - but don't stiff the guy. Even if Brute Logic is a nice guy (tm) that continues to operate in a benevolent fashion, other security researchers (and their less-benevolent counterparts) may see this and decide that it is open season on Groupon.
Re: (Score:1)
I understand that he broke the terms. It is absolutely valid for Groupon to refuse to pay them. From a 'big picture' point of view though, this was a very bad move. Security researchers are a group with whom you usually want to be on good terms. Maybe just reduce the payout over the one published exploit - but don't stiff the guy. Even if Brute Logic is a nice guy (tm) that continues to operate in a benevolent fashion, other security researchers (and their less-benevolent counterparts) may see this and decide that it is open season on Groupon.
Which is basically what gangs would do when people would refuse to pay for the "insurance" they would "offer".
Posting anonymously, for obvious reasons.
Re: (Score:2)
Re: (Score:3)
I wasn't saying that the researchers are an organized gang of cyber-thugs cruisin' the web for sploits. I was just acknowledging how humans tend to act in groups. Most people see someone acting unfairly and say, "Gee, that's not nice."
Others, if they identify strongly with the individual they think was wronged, may take a more active role in meting out karma.
This is particularly problematic, if you've offered a bounty for holes in you
Re: (Score:2)
I'd rather swallow a little pride than have my shitter explode. To each his own, I guess.
Re: (Score:2)
Nah, hooligans (script kiddies evolved) wandering the net, the SPAM in your httpd log.
They are not the only one (Score:1)
I submitted a bug to a company who claimed to offer up to 100k, the company never responded to any of my emails and fixed the bug about a month later. It puts me in a tight spot, I can't disclose this now fixed bug (for many months) if I want to hold out any hope of getting paid. Makes it hard to name and shame them...
262c603833189cbf75eba31d9dab1344544b4919
I didn't know: Responsible Disclosure policy (Score:2)
Responsible disclosure fails to satisfy security researchers who expect to be financially compensated, while reporting vulnerabilities to the vendor with the expectation of compensation might be viewed as extortion. While a market for vulnerabilities has developed, vulnerability commercialization remains a hotly debated topic tied to the concept of vulnerability disclosure. http://en.wikipedia.org/wiki/R... [wikipedia.org]
Still fell Groupon has a debt to pay, unless he did indeed release the info before Groupon could act o
That's the deal (Score:2)
You're basically being paid to keep it private until patched. Brute Logic blew it.
Groupon is an Open Source shop, and their staff is quite aware of good practices.
Had Brute Logic not disclosed, I am sure a check would be on its way.
Correct program (Score:2)
I have come across vulnerabilities in consumer products, banks, and governments (though no airplanes). Here is a policy I use and I have not yet gone to jail, have gotten all problems fixed quickly, and usually gotten credit or some reward even if not requested.
> Hello, I have inadvertently found a security issue in your product, it allows you to do XXX which is not expected. I am publishing this on my security blog in [48 hours / 5 days / 2 weeks].
Any time I have deviated from this process even
Cry more please (Score:2)
That's easy (Score:2)
cult (Score:1)
Groupon? Is that still a thing?
I don't think I have ever seen CSRF implemented right. Certainly not on Django. OK that's not XSS but still. There's a lot of cargo cult security out there.
Own fault (Score:2)
Well even if it was exposed for a brief moment, it means it was exposed, so the only one he can blame is himself, he shouldn't even have talked about it 'privately' on that site..
He should just stop blaming Groupon and just stop acting like a crybaby, especially if he claims there are 30 other problems, so he can get money for those.
Reasonable (Score:2)
Who wants to pay someone who calls himself "Brute Logic"?
If he'd called himself "dark wizard" he'd get his reward!
4chan (Score:2)
Re:Good for them (Score:5, Informative)
I'm tired of these security experts holding these sites hostage. They should disclose these vulnerabilities to build a safer Internet, not to line their pockets.
If they really wanted to line their pockets, they'd sell them to the black hats.
Blindly disclosing the security holes to the internet at large makes the internet less safe in the short term since the bad guys can exploit the vulnerabilities before the good guys can fix them.
Groupon could hire people themselves to find the vulnerabilities, but they chose not to, instead they offer a bounty for security bugs, which apparently is very cost effective when they don't pay up, so it's a double win - no need to pay money to hire security experts when a community of bug hunters will do the work for a token bounty, and no reason to actually pay the bounty when you can find a technicality (if one out of 30 bugs were released in violation of their guidelines, why aren't they paying their promised bounty for the others?)
Re:Good for them (Score:5, Insightful)
very cost effective when they don't pay up, so it's a double win - no need to pay money to hire security experts when a community of bug hunters will do the work for a token bounty, and no reason to actually pay the bounty when you can find a technicality
Except this only works a couple times. Who is going to spend their time on Groupon now that they know they'll weasel out of paying?
Re: (Score:2)
Re: Good for them (Score:1)
If it's so easy then they really don't have an excuse and should be forced to pay. The work is important and it's been done. It needs to be paid for.
Re: (Score:1)
Obviously you would loose the best experts who will spend the time and have the expertise to find the most obscure vulnerabilities. If those researchers where not interested at all in the program ( too small bounty for the effort, groupon track record etc) then Groupon losses nothing by having stingy payment po
Re: (Score:2)
> then Groupon losses nothing by having stingy payment policies.
Unless those experts sell their exploit to the black market and a successful exploit is carried out against Groupon and it's customers. Then I'd say they have lost something.
Re: (Score:1)
A:"What is this? You expect me to pay you $1,000 to fix one line of code, which took you less than 5 minutes to do?? I demand an itemized bill!
B: Takes back the bill and tears it up. Writes something on a fresh billing sheet and hands it to A.
A: (reading new billing aloud) "Item One. Fixing one line of code: $5. Item Two. Knowing which line to fix: $995."
Re: (Score:1)
Re: (Score:3)
Especially since it appears sometimes bounty programs cost almost nothing to implement.
Re: (Score:2, Insightful)
Re: (Score:2)
for one exploit that was refused, how is it legitimate to deny the bounty for the other 29?
i imagine they just made an enemy, or at least lost an ally, over 10k at most?
you how bad a hit they'd take if they had a theft of data? target claims that their data breach depressed their holiday profits by 47 percent...
i think groupon has got yearly profits in the billions range... and they're quibbling over a few thousand?
Re: (Score:2)
for one exploit that was refused, how is it legitimate to deny the bounty for the other 29?
because life's not completely disconnected like that?
because you don't pay someone that publicly exposed exploits without giving you a chance to fix them.
say you paid a guy to mow your lawn for $20 and wash your car for $20. he does a fine job mowing your lawn, but in the process of washing your car he breaks your windshield and slits your tires (maliciously, and offering no compensation). would you pay him for mowing your lawn?
Re: (Score:2)
Re: (Score:2)
it seems it was 1 exploit that affected 30 systems. so the point is moot.
as an exercise though, yes, yes you do.
if this were a business decision/transaction at all you would.
if it were 30 separate exploits, you would pay him for 30 exploits, and charge him damages for the 1 that got away. Penalties or what have you. And you do this because it's more orderly that way, and you're trying to be aboveboard with this individual and with the community as a whole. For future collaboration.
You do it so the guy h
Re: (Score:2)
if it were 30 separate exploits, you would pay him for 30 exploits, and charge him damages for the 1 that got away.
man, life, you're new to it huh? good luck when you leave you mom's basement and discover that's not how life works.
Re: (Score:2)
:) depends on the business you're in. but it's how it's done in at least one fast-paced industry... trucking... and probably a shit-ton more than that.
you get a relationship, you forgo the contract. payment on delivery, and you don't quibble over the small stuff. establish terms, and if the other guy delivers on time, you pay him, if he says you owe him money, you verify it, and you pay him. If he fucks something up, he gives you a discount on the invoice or he pays for it. You don't fucking jeopardize
Re: (Score:2)
They definitely could have played it differently. The fact that the disclosure post was removed quickly may indicate wrongdoing, that he realized he messed up. So, fine, remove the disclosed vulnerabilities from the bounty, but still pay the bounty for the others. If he had submitted each issue separately they would have paid the others that he didn't disclose.
Re: (Score:2)
he fact that the disclosure post was removed quickly may indicate wrongdoing, that he realized he messed up. So, fine, remove the disclosed vulnerabilities from the bounty, but still pay the bounty for the others.
sometimes when you f-up you just have to eat it. accept responsibility and the outcome of YOUR mistake. behavior like this is a side affect of the having parents that never let your learn lessons the hard way. lost your iPod little Johnny? we'll buy you a new one. i don't blame him for being upset. anyone would be upset. but it's his mistake.
If he had submitted each issue separately they would have paid the others that he didn't disclose.
almost certainly not. they are not paying him because he did something very irresponsible. he did exactly what that the bounty program is trying to prevent. it's like i
Re: (Score:2)
it's like if you offered someone $20 to wash your car, which they did, but then threw a bucket of mud on it. would you still pay them the $20?
Uh, no. But if I got 30 washes, and the car was cleaned 29 times, and one time it had mud on it, I would still pay for the other 29 washes.
Re: (Score:2)
Except this only works a couple times. Who is going to spend their time on Groupon now that they know they'll weasel out of paying?
groupon would rather bugs not be reported at all than having them posted openly on the internet before they have a chance to fix them. anyone would. this guy did them a major disservice.
Re: (Score:2)
And who's to say that he doesn't have another three dozen that he knows about, but held back?
Re:Good for them (Score:5, Insightful)
I'm tired of these security experts holding these sites hostage. They should disclose these vulnerabilities to build a safer Internet, not to line their pockets.
If they really wanted to line their pockets, they'd sell them to the black hats.
Blindly disclosing the security holes to the internet at large makes the internet less safe in the short term since the bad guys can exploit the vulnerabilities before the good guys can fix them.
Groupon could hire people themselves to find the vulnerabilities, but they chose not to, instead they offer a bounty for security bugs, which apparently is very cost effective when they don't pay up, so it's a double win - no need to pay money to hire security experts when a community of bug hunters will do the work for a token bounty, and no reason to actually pay the bounty when you can find a technicality (if one out of 30 bugs were released in violation of their guidelines, why aren't they paying their promised bounty for the others?)
I'm sure they do have their own people looking for vulnerabilities, but if outsiders also find vulnerabilities they'd like to know.
As for the non-payout I doubt Groupon's motive is financial. Far more likely they really want to discourage people from disclosing the bugs publicly before they have a chance to fix them.
Whether Groupon is being reasonable is the question here.
I'm personally skeptical that the expert found 32 separate issues but suspect he found 32 variations on the same issue (he says 32 sites affected, which leads me to believe this is the case). If so the description of one issue could give an attacker enough of a clue to find the other 31 issues.
Then again it could be 32 legitimately unique issues, and the one vague disclosure might not have been enough to help an attacker. In that case Groupon should probably pay him out.
Re:Good for them (Score:4, Interesting)
I'm tired of these security experts holding these sites hostage. They should disclose these vulnerabilities to build a safer Internet, not to line their pockets.
If they really wanted to line their pockets, they'd sell them to ......
Groupon could hire people themselves to find the vulnerabilities, but they chose not to, instead they offer a bounty for security bugs, which apparently is very cost effective when they don't pay up, so it's a double win .......
I'm sure they do have their own people looking for vulnerabilities, but if outsiders also find vulnerabilities ....
Interesting...
Vulnerability testing is sometimes difficult from inside.
Companies have security policies that could make testing by employees quite difficult.
Testing from home is often excluded by company rules.
Network and hardware management also adds to this issue.
Laws are making it harder and harder for White hats to operate.
The issue of script rich "experts" hunting bounty is interesting.
First the bounty needs rules and pre disclosure rules need to be bounded in time.
Fixing it when I darn well want to is not no a working answer.
Script discovered flaws are likely industry standard flaws most with well known solutions.
A list of script triggered flaws that is as long as this tells me that the engineering
staff and management need to have their bonus packages reviewed. It seems
like a flawed culture. Non payment of the bounty is a symptom if the report
was held private for a fair length of time.
Some companies have "sat" on bugs and faults. The most famous list of faults
are enumerated in the security book written by Robert Morris. Almost none were fixed then
his son coded the Morris worm. That should have been the clue to the
industry but it was not. The response was mostly legal not technical which
is an inversion of the needs of national security where the laws of a nation
cannot protect from predators in other nations.
There is an astounding cognitive failure when a nation passes laws and fails to ...
to address the technical reach of those outside the reach of the law. Predator drones
are not an answer
This flawed protectionist mind set by many US TLAs is a problem.
Other nations have the same issue and should be filing bugs with vendors
left and right. Some nations might need a proxy for this but again
national laws could find these people acting as agents of a foreign government
to their loss of freedom.
Kafka is giggling.
Re: (Score:2)
Those who make peaceful vulnerability discovery impossible will make violent exploiting inevitable.
Re: (Score:3)
(if one out of 30 bugs were released in violation of their guidelines, why aren't they paying their promised bounty for the others?)
Maybe there is only one bug and the remaining 29 are just trivial exploit variations of a single error. Of course, if that were true, it would help if Groupon actually explained that rather than hiding behind generalized and opaque "policy" reasons.
Re:Good for them (Score:4, Interesting)
Full disclosure also encourages the vendors to fix their shitty code asap, and encourages a preemptive security conscious culture. These are good things.
Re: (Score:2)
Depends. If the vendor intends to fix reported problems reasonably fast, then full disclosure gives the bad guys a boost up. If the vendor doesn't care about reported problems, it might light a fire under them. Knowing nothing about how Groupon addresses reported vulnerabilities, all I can say is that they can set bounty rules as they like, and people either will or won't look for vulnerabilities.
Re: (Score:2)
Perhaps, but then vendors who routinely do not fix their shit promptly will have bad reputations from repeated breaches, as it should be. Hopefully such companies go out of business.
Of course, they can set them as they please, but I can also criticize 'ethical hacker' policies that are too soft on vendors.
Re: (Score:2)
Groupon could hire people themselves to find the vulnerabilities, but they chose not to, instead they offer a bounty for security bugs, which apparently is very cost effective when they don't pay up, so it's a double win
maybe you aren't familiar with how bug bounties work. it's when a company pays a finder for *privately* reporting issues before they are discovered publicly. this guy did both. he reported it privately when went on to disclose it publicly. you think a company should reward someone for disclosing security vulnerabilities publicly before they have a chance to fix them?
Re: (Score:2)
How did he hold it hostage? He disclosed the vulnerabilities to them privately before doing anything else. This wasn't a case of "shame them now, hope for a payout later". It was a case of "responsible disclose it privately, then do a stupid thing by disclosing it publicly before they've had a chance to pay you". As much as I don't like Groupon, I'm not sure which side of this disagreement I think is (most) in the wrong.
Re: (Score:1)
I don't get it. Someone please explain to the rest of us if there is either a verbal or written contract between security experts and website/merchanting/data corporations or business? Or is this some kind of tradition or unwritten corporate responsibility?
Re: (Score:2)
Want to share your knowledge?
Re:Good for them (Score:5, Insightful)
They should disclose these vulnerabilities to build a safer Internet, not to line their pockets.
A safer internet doesn't put food on their table.
It's Groupon who is lining their pockets, when they could be building a safer internet by actually paying money for security. It's the reluctants of companies to take security seriously and spend time and money on it that leads to an unsafe internet.
And then we get dumb things like this "responsible disclosure program," which is really not about protecting users, but protecting Groupon's reputation. That is to say... it's a PR-protecting policy, not a policy for protecting users' safety. The unintentional disclosure they referenced regarding ONE of the 30 vulnerabilities didn't even reveal meaningful information about the vulnerability, therefore: Groupon was not concerned about exploit details being disclosed, but ONLY the fact that there was publicity being generated that said their site was insecure.
The researchers need the bounty proceeds to justify spending the time researching to discover them. It's the companies that are lining their pockets, by avoiding hiring people like these folks and other security professionals to do this ----- instead offering small bounties, only available if they DO discover something wrong after spending possibly thousands of hours beating around looking for something wrong.
Re: (Score:3)
I'm trying to understand the use of the word 'moments'. It seems the article, which is clearly biased in favour of the security researcher, is trying to downplay the actual event. It is hard to really grasp exactly what happened here because the amount of time that the posting was live is not specifically mentioned. Generally, I would assume moments is about 10-15 seconds or less. However the following happened in those 'moments':
1. The issue was published
2. Somebody realized it was publ
Re: (Score:2)
That would be a dick move. Instead, he expected the bug bounty Groupon had advertised for reporting bugs to them and not talking about them until Groupon can fix them. However, by making the knowledge public too early, he violated the bounty policy.