GROUPON WEBSITE RESPONSIBLE DISCLOSURE
Grouponâs Commitment to Security
At Groupon we are committed to maintaining the security of our systems and
data. We believe that good security is critical to maintaining the trust of
our customers, merchants and employees. As such, we strive to continuously
improve our security to ensure that we are prepared to meet the challenges
posed by an ever-evolving threat landscape.
Bug Bounty Program
We value your input. When properly notified of a security issue we are
committed to working with you to understand and remediate verified problems.
If you believe you find an issue on our site, we encourage you to report it to
us in a private and responsible way. In order to encourage this, we have
established a reward program which will pay a bounty for verifiable security
issues reported to us through the proper channel.
What Vulnerabilities Qualify for the Bounty?
Although not an exhaustive list, any issue that potentially affects the
confidentiality, availability, or integrity of our customer's data will be
considered for a bounty. Some examples of those types of issues include:
Cross-site scripting (XSS)
Cross-site request forgery (CSRF)
Issues identified with our authentication or session management mechanisms
Which Sites Qualify for the Bounty?
Similarly, we also have a number of issues for which we will generally not pay
out a bounty - and which include anything that reports an act that is abusive
or in bad faith. These include:
Bugs identified via off-the-shelf vulnerability or security scanners including open source / free / or commercial tools, i.e. burpsuite, Websecurify, Zed, Wikto.
Information revealed that may be interesting from a security standpoint but does not represent a security issue in-and-of itself. This includes but is not limited to: reporting on open ports, SSL Labs output, and stack traces that disclose information.
Infrastructure attacks, including brute force or denial of service
Issues that require physical access, social engineering, and/or manual steps that a user would never execute on their own (i.e. copying scripts into a debug console).
Tools that generate significant amount of traffic volume or any activity deemed to be disruptive to other users
Attacks against other user accounts (target your own account only)
Issues that we are already fixing or that someone else has previously reported
Issues that are only exploited with old and typically-unused software, such as XSS that can only be exploited using an outdated browser.
Open redirects. For the instances where the impact results in the exposure of sensitive information or login compromise, please submit them and we will analyze from there.
Content injection issues.
Fraud-related issues are not part of the program.
Underspecified reports where the information provided is insufficient to reproduce the vulnerability
Functionality bugs which do not compromise the security of our usersâ accounts or personal information
Bugs that have been disclosed publicly or to third parties (brokers) by you or others
Vulnerabilities on sites that are not owned or operated by Groupon
Testing a suspected vulnerability in a way that violates any law or compromises data that is not your own
POC videos or other materials that prove the issue have been uploaded to third party website, even if marked as not publicly searchable
Reporting Suspected Vulnerabilities
If you believe that you have found a vulnerability, please report it to
firstname.lastname@example.org). A written description is required if you are sending
a POC video. Our security team will interact with you directly from there. We
encourage the use of encryption in your communications with us and ask that
you encrypt your message to us whenever possible. Our public PGP key can be
downloaded from [here](https://pgp.mit.edu/pks/lookup?search=responsible-
disclosure%40groupon.com&op=index) and is located at the bottom of this page.
In addition to the information provided above, the following Terms also apply
to your participation in Grouponâs Responsible Disclosure Program. Please
note that whether to award bounties and the bounty awarded for identified
issues will vary and remain at all times at Grouponâs discretion. If
multiple vulnerabilities are reported or are closely related, we may choose to
only award a single bounty. We may choose not to award bounties when we launch
new products for a beta period, or otherwise are actively in a development or
upkeep cycle. We may also require documentation for tax reporting purposes
before we are able to pay certain bounties and we are unable to award bounties
to individuals or in situations where to do so would violate a sanction list
maintained by the U.S. Office of Foreign Assets Control (âOFACâ) or
conflict with the letter or spirit of other applicable State, Federal or
Territorial law, rule or regulation. Notwithstanding any of the above, Groupon
reserves the right to cancel or modify this program at any time and without
Any information you receive or collect about Groupon, its affiliates or any of
their users, employees or agents in connection with the Bug Bounty Program
(âConfidential Informationâ) must be kept confidential and only used in
connection with the Bug Bounty Program. You may not use, disclose, publish, or
distribute any such Confidential Information, including without limitation any
information regarding your Submission, without Grouponâs prior written
Last Updated: January 25, 2017
Our PGP key:
-----BEGIN PGP PUBLIC KEY BLOCK----- mQENBFU6ZZABCACm27J5oCBSHzHVN0yQSDCrS5gJxsGTAq0rnpluomL/k3eOEDLn 3UC0Wt/+xQIome4THA216o+lNtlbmlqoQULjYN1JT4G/gIEAF0zC/WGB92QbO5UI RFhoAL8eFEu6Mrvp3K7YjyIu7ah2WacR/Vl5OmdIBOyiqF1nQU1l7XpOSpytglyd 0ixWLS+IiJsdwQAdpa1tRle5uYgkSHlXyj2a6lI8e4bSHN6XpsWeLis6RYTNtJOQ ZDGRA5j0NnWubKeFQeDTVTQfshDcfwuX4D3XlL58jDBsIuQOgdm0tWegfoi2I6I7 9c9xSrertWXaS3DNx/itclPyRF9+engGQPg1ABEBAAG0Tkdyb3Vwb24gU2VjdXJp dHkgKFJlc3BvbnNpYmxlIERpc2Nsb3N1cmUpIDxyZXNwb25zaWJsZS1kaXNjbG9z dXJlQGdyb3Vwb24uY29tPokBPgQTAQIAKAUCVTplkAIbAwUJBaOagAYLCQgHAwIG FQgCCQoLBBYCAwECHgECF4AACgkQpNG/HBdu04UFjQgAlNDsIMjqBQWJ9MisP8mJ i6CgYefvmrS5yUZNXd21/KDiDs5xPDlQ+hpnAkTuBKFS6J0/Dn8Ik+5R2k/wvEn0 Vg+vBgujF0WyYnjAa4dGzG0+Wvb9jmXj0GKmuHFZhUrxoxYNi+/rrFurMmtG1p5t VT6lJaVwIPm71UyYB2M0iUzT8sNugjtgHac3/baF53K8uOpPXPMNNJ/9tra42UPP pIZfHap4GdqianVcryfdlYLHTC07E8H4QZKt/pFaKqisMtAlICSJxO9NTDlpE9WD 0oByDXOZFl/UeEqRCC+D4YNijlrpfVB9vNoLPz85o9qN5MAJtWkbtrFtNR21Ur2c T7kBDQRVOmWQAQgA03TNqORHRVmRzExbeSxkrNYfpETgqDy7gAW5XoE6MYL2Sr3V bFnuk22JSCe1KRMRc7r9qJJHiVjhE9ZMNeAtd5VRf8vp1aTadMIodXH9dRG5XelZ oQZnZ5hXSThHpFxX+Hsq9ZEMLfMuu5jkyzNFMVvDlfTOxjofxszETQFe8xfkkc9A Ccj8h2LGtHBOyDoC6cAxQLGhkqQVh2+lfY62zmoOY4zUu3xh9CQNFeqOa/Aw63p/ Zg2CWpyjD7EMd6ur7heGcb1pTgzfyParcbq7J0cXyG4seHp0DprH7yLFrBZXPRaD 3bLzVbncd/+y0exMyC5PZpH0Z8XRbZBPiOZ5MwARAQABiQElBBgBAgAPBQJVOmWQ AhsMBQkFo5qAAAoJEKTRvxwXbtOFljsH/j8JPxHsds+wLdVyNq2ogCBODlKKbAgP JM/CHGgWJsG+tL+Q/ISTju+0Z4B+D+afMQt87MVTiKkcGZhMIpQU3UP8+3pebpUi 0SJjraj0oCmxcCUlzjkTUvGtEw7PwRE4kQybx65OcG8iOzGqn7dm1TIxT0dfriIi f9vRkuZl2DaQqivXOLIiiSpnhbjxXfBHCCiCnopPLiQnq1zjkZKHPrAn4rUF6s6n U7oKa9aT5MoV3lKlXfGeQpfaWJgdjuFIRTsgXNXQ4jguWvTZRQ6i7S3055NDqydn Z9QJXP9j8gCnEW1tVSk7xPuCJnPg8ehsyjXyqXoskv1/VFVv/OBR3tY= =IfnW -----END PGP PUBLIC KEY BLOCK----- PGP Fingerprint: 2B23 9686 089B 5D61 5D47 895F A4D1 BF1C 176E D385
This program crawled on the 2015-07-16 is sorted as bounty.