Published in News

Groupon refuses to pay out on virus bounty

by on24 April 2015


Bounty hunter a little miffed

Discount and deal site Groupon has a novel way of dealing with bounty hunters who point out security flaws in its systems. It lets them discover the flaws and refuses to pay up.


Security researcher Brute Logic reported more than 30 32 XSS (cross-site scripting) issues with Groupon's site which were particularly serious. Normally it would expect a bit of cash, but the company cited its Responsible Disclosure policy and told the bounty hunters to go forth and multiply.
Brute Logic says that the security issue is all the more serious because Groupon stores credit card details, and it would be incredibly easy to craft a spoof Groupon-related URL to trick victims into visiting a fake site.

On April 17 he contacted Groupon security team then got back saying that it had isolated the issue and would be back in touch once a patch has been produced.

As a contributor to XSSposed.org Brute Logic spoke with people at the site and made a reference to one of the security issues ended up being published. This only appeared online for a few moments, and was removed after it was realized it had been published in error. But Groupon is using this as a reason for refusing to pay out.

Groupon's Bug Bounty Program terms say:

"We encourage you to report it to us in a private and responsible way. In order to encourage this, we have established a reward program which will pay a bounty for verifiable security issues reported to us through the proper channel."

Brute Logic argues that an additional 30 problems still existed and very scant details of the security flaw were published for only a very short time. In a further email, Groupon said:

"Unfortunately we won't be able to offer you a bounty for this submission. In the future we ask that you respect our responsible disclosure policy and not publicly disclose the vulnerability without properly notification. We noticed that you submitted the vulnerability to xssposed.org."

Understandably Brute Logic is not happy, seeing the company trying to get out of a bounty on the basis of a technicality.

Rate this item
(3 votes)

Read more about: