GROUPON WEBSITE RESPONSIBLE DISCLOSURE

Groupon’s Commitment to Security

At Groupon we are committed to maintaining the security of our systems and data. We believe that good security is critical to maintaining the trust of our customers, merchants and employees. As such, we strive to continuously improve our security to ensure that we are prepared to meet the challenges posed by an ever-evolving threat landscape.

Bug Bounty Program

We value your input. When properly notified of a security issue we are committed to working with you to understand and remediate verified problems. If you believe you find an issue on our site, we encourage you to report it to us in a private and responsible way. In order to encourage this, we have established a reward program which will pay a bounty for verifiable security issues reported to us through the proper channel.

What Vulnerabilities Qualify for the Bounty?

Although not an exhaustive list, any issue that potentially affects the confidentiality, availability, or integrity of our customer's data will be considered for a bounty. Some examples of those types of issues include:

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • SQL/Code Injection
  • Issues identified with our authentication or session management mechanisms

Which Sites Qualify for the Bounty?

  • www.groupon.com
  • www.groupon.ca
  • www.groupon.co.uk
  • www.groupon.de
  • www.groupon.es
  • www.groupon.it
  • www.groupon.fr
  • www.groupon.ie
  • www.groupon.nl
  • www.groupon.be
  • www.groupon.pl
  • www.groupon.ae
  • www.groupon.co.il
  • www.groupon.com.ar
  • www.groupon.com.br
  • www.groupon.com.au
  • www.grouponnz.co.nz
  • www.groupon.sg
  • www.groupon.hk
  • www.groupon.jp
  • api.groupon.com
  • api.groupon.de

Similarly, we also have a number of issues for which we will generally not pay out a bounty - and which include anything that reports an act that is abusive or in bad faith. These include:

  • Bugs identified via off-the-shelf vulnerability or security scanners including open source / free / or commercial tools, i.e. burpsuite, Websecurify, Zed, Wikto.
  • Information revealed that may be interesting from a security standpoint but does not represent a security issue in-and-of itself. This includes but is not limited to: reporting on open ports, SSL Labs output, and stack traces that disclose information.
  • Infrastructure attacks, including brute force or denial of service
  • Issues that require physical access, social engineering, and/or manual steps that a user would never execute on their own (i.e. copying scripts into a debug console).
  • Tools that generate significant amount of traffic volume or any activity deemed to be disruptive to other users
  • Attacks against other user accounts (target your own account only)
  • Issues that we are already fixing or that someone else has previously reported
  • Issues that are only exploited with old and typically-unused software, such as XSS that can only be exploited using an outdated browser.
  • Open redirects. For the instances where the impact results in the exposure of sensitive information or login compromise, please submit them and we will analyze from there.
  • Content injection issues.
  • Fraud-related issues are not part of the program.
  • Underspecified reports where the information provided is insufficient to reproduce the vulnerability
  • Functionality bugs which do not compromise the security of our users’ accounts or personal information
  • Bugs that have been disclosed publicly or to third parties (brokers) by you or others
  • Vulnerabilities on sites that are not owned or operated by Groupon
  • Testing a suspected vulnerability in a way that violates any law or compromises data that is not your own
  • POC videos or other materials that prove the issue have been uploaded to third party website, even if marked as not publicly searchable

Reporting Suspected Vulnerabilities

If you believe that you have found a vulnerability, please report it to responsible-disclosure@groupon.com. A written description is required if you are sending a POC video. Our security team will interact with you directly from there. We encourage the use of encryption in your communications with us and ask that you encrypt your message to us whenever possible. Our public PGP key can be downloaded from here and is located at the bottom of this page.

Terms

In addition to the information provided above, the following Terms also apply to your participation in Groupon’s Responsible Disclosure Program. Please note that whether to award bounties and the bounty awarded for identified issues will vary and remain at all times at Groupon’s discretion. If multiple vulnerabilities are reported or are closely related, we may choose to only award a single bounty. We may choose not to award bounties when we launch new products for a beta period, or otherwise are actively in a development or upkeep cycle. We may also require documentation for tax reporting purposes before we are able to pay certain bounties and we are unable to award bounties to individuals or in situations where to do so would violate a sanction list maintained by the U.S. Office of Foreign Assets Control (“OFAC”) or conflict with the letter or spirit of other applicable State, Federal or Territorial law, rule or regulation. Notwithstanding any of the above, Groupon reserves the right to cancel or modify this program at any time and without notice.

Confidentiality

Any information you receive or collect about Groupon, its affiliates or any of their users, employees or agents in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, publish, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without Groupon’s prior written authorization.

Last Updated: January 25, 2017

Our PGP key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFU6ZZABCACm27J5oCBSHzHVN0yQSDCrS5gJxsGTAq0rnpluomL/k3eOEDLn
3UC0Wt/+xQIome4THA216o+lNtlbmlqoQULjYN1JT4G/gIEAF0zC/WGB92QbO5UI
RFhoAL8eFEu6Mrvp3K7YjyIu7ah2WacR/Vl5OmdIBOyiqF1nQU1l7XpOSpytglyd
0ixWLS+IiJsdwQAdpa1tRle5uYgkSHlXyj2a6lI8e4bSHN6XpsWeLis6RYTNtJOQ
ZDGRA5j0NnWubKeFQeDTVTQfshDcfwuX4D3XlL58jDBsIuQOgdm0tWegfoi2I6I7
9c9xSrertWXaS3DNx/itclPyRF9+engGQPg1ABEBAAG0Tkdyb3Vwb24gU2VjdXJp
dHkgKFJlc3BvbnNpYmxlIERpc2Nsb3N1cmUpIDxyZXNwb25zaWJsZS1kaXNjbG9z
dXJlQGdyb3Vwb24uY29tPokBPgQTAQIAKAUCVTplkAIbAwUJBaOagAYLCQgHAwIG
FQgCCQoLBBYCAwECHgECF4AACgkQpNG/HBdu04UFjQgAlNDsIMjqBQWJ9MisP8mJ
i6CgYefvmrS5yUZNXd21/KDiDs5xPDlQ+hpnAkTuBKFS6J0/Dn8Ik+5R2k/wvEn0
Vg+vBgujF0WyYnjAa4dGzG0+Wvb9jmXj0GKmuHFZhUrxoxYNi+/rrFurMmtG1p5t
VT6lJaVwIPm71UyYB2M0iUzT8sNugjtgHac3/baF53K8uOpPXPMNNJ/9tra42UPP
pIZfHap4GdqianVcryfdlYLHTC07E8H4QZKt/pFaKqisMtAlICSJxO9NTDlpE9WD
0oByDXOZFl/UeEqRCC+D4YNijlrpfVB9vNoLPz85o9qN5MAJtWkbtrFtNR21Ur2c
T7kBDQRVOmWQAQgA03TNqORHRVmRzExbeSxkrNYfpETgqDy7gAW5XoE6MYL2Sr3V
bFnuk22JSCe1KRMRc7r9qJJHiVjhE9ZMNeAtd5VRf8vp1aTadMIodXH9dRG5XelZ
oQZnZ5hXSThHpFxX+Hsq9ZEMLfMuu5jkyzNFMVvDlfTOxjofxszETQFe8xfkkc9A
Ccj8h2LGtHBOyDoC6cAxQLGhkqQVh2+lfY62zmoOY4zUu3xh9CQNFeqOa/Aw63p/
Zg2CWpyjD7EMd6ur7heGcb1pTgzfyParcbq7J0cXyG4seHp0DprH7yLFrBZXPRaD
3bLzVbncd/+y0exMyC5PZpH0Z8XRbZBPiOZ5MwARAQABiQElBBgBAgAPBQJVOmWQ
AhsMBQkFo5qAAAoJEKTRvxwXbtOFljsH/j8JPxHsds+wLdVyNq2ogCBODlKKbAgP
JM/CHGgWJsG+tL+Q/ISTju+0Z4B+D+afMQt87MVTiKkcGZhMIpQU3UP8+3pebpUi
0SJjraj0oCmxcCUlzjkTUvGtEw7PwRE4kQybx65OcG8iOzGqn7dm1TIxT0dfriIi
f9vRkuZl2DaQqivXOLIiiSpnhbjxXfBHCCiCnopPLiQnq1zjkZKHPrAn4rUF6s6n
U7oKa9aT5MoV3lKlXfGeQpfaWJgdjuFIRTsgXNXQ4jguWvTZRQ6i7S3055NDqydn
Z9QJXP9j8gCnEW1tVSk7xPuCJnPg8ehsyjXyqXoskv1/VFVv/OBR3tY=
=IfnW
-----END PGP PUBLIC KEY BLOCK-----

PGP Fingerprint:
2B23 9686 089B 5D61 5D47  895F A4D1 BF1C 176E D385