It’s very common these days for tech companies Google and Microsoft to offer hackers and security researchers big bucks if they’re able to find security vulnerabilities that could pose serious threats to important software and services. Google in particular often hosts its own hacking competition where the search giant puts millions of dollars on the line for anyone savvy enough to skirt around Google’s built-in security schemes.
Recently, one security researcher found a number of high-level vulnerabilities on Groupon’s website. Groupon promptly patched the security holes but, as it turns out, is refusing to pay him.
A security researcher who goes by the name BruteLogic recently uncovered upwards of 32 cross site scripting issues on Groupon’s website, a huge problem as it would enable malicious attackers to easily create a spoofed Groupon website and abscond with user credit card information.
On April 17 he contacted Groupon to report the problems and heard back almost immediately with a note saying that the company would investigate and report back shortly. The security team then got back saying that it has managed to isolate the issue and would be back in touch once a patch has been produced.
Brute Logic enquired about the level of financial reward that might be offered, and Groupon responded by saying that the bounty was calculated on a case by case basis, promising to “circle back” with details of what could be offered in this instance.
But when the dust settled, and the security holes finally fixed, Groupon opted not to ante up.
Citing its own Responsible Disclosure policy, Groupon said it wasn’t going to pay BruteLogic because the security vulnerabilities at issue momentarily wound up on the Xssposed.org website. Per Groupon’s policy, and indeed this is not uncommon, cash payouts are only made when security vulnerabilities are brought to Groupon’s attention without first being made public.
So because the security issues involved ended up on a public website before Groupon had an opportunity to address the problem, the deals-based company declined to pay BruteForce what he thinks he deserves.
In a message sent to BruteForce, Groupon explained:
Unfortunately we won’t be able to offer you a bounty for this submission. In the future we ask that you respect our responsible disclosure policy and not publicly disclose the vulnerability without properly notification. We noticed that you submitted the vulnerability to xssposed.org.
While one’s first reaction might be to think that Groupon is acting ridiculous, their point of view is not entirely without merit. After all, bringing a security issue to Groupon’s attention after disclosing it publicly effectively defeats the purpose of such an arrangement in the first place. Indeed, the very point of such arrangements is to prevent attackers in the wild from taking advantage of security vulnerabilities in the first place.