Groupon’s Commitment to Security

At Groupon we are committed to maintaining the security of our systems and data. We believe that good security is critical to maintaining the trust of our customers, merchants and employees. As such, we strive to continuously improve our security to ensure that we are prepared to meet the challenges posed by an ever-evolving threat landscape.

Bug Bounty Program

We value your input. When properly notified of a security issue we are committed to working with you to understand and remediate verified problems. If you believe you find an issue on our site, we encourage you to report it to us in a private and responsible way. In order to encourage this, we have established a reward program which will pay a bounty for verifiable security issues reported to us through the proper channel.

What Vulnerabilities Qualify for the Bounty?

Although not an exhaustive list, any issue that potentially affects the confidentiality, availability, or integrity of our customer's data will be considered for a bounty. Some examples of those types of issues include:

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • SQL/Code Injection
  • Issues identified with our authentication or session management mechanisms

Which Sites Qualify for the Bounty?


Similarly, we also have a number of issues for which we will generally not pay out a bounty - and which include anything that reports an act that is abusive or in bad faith. These include:

  • Bugs identified via off-the-shelf vulnerability or security scanners including open source / free / or commercial tools, i.e. burpsuite, Websecurify, Zed, Wikto.
  • Information revealed that may be interesting from a security standpoint but does not represent a security issue in-and-of itself. This includes but is not limited to: reporting on open ports, SSL Labs output, and stack traces that disclose information.
  • Infrastructure attacks, including brute force or denial of service
  • Issues that require physical access, social engineering, and/or manual steps that a user would never execute on their own (i.e. copying scripts into a debug console).
  • Tools that generate significant amount of traffic volume or any activity deemed to be disruptive to other users
  • Attacks against other user accounts (target your own account only)
  • Issues that we are already fixing or that someone else has previously reported
  • Issues that are only exploited with old and typically-unused software, such as XSS that can only be exploited using an outdated browser.
  • Open redirects. For the instances where the impact results in the exposure of sensitive information or login compromise, please submit them and we will analyze from there.
  • Content injection issues.
  • Fraud-related issues are not part of the program.
  • Underspecified reports where the information provided is insufficient to reproduce the vulnerability
  • Functionality bugs which do not compromise the security of our users’ accounts or personal information
  • Bugs that have been disclosed publicly or to third parties (brokers) by you or others
  • Vulnerabilities on sites that are not owned or operated by Groupon
  • Testing a suspected vulnerability in a way that violates any law or compromises data that is not your own
  • POC videos or other materials that prove the issue have been uploaded to third party website, even if marked as not publicly searchable

Reporting Suspected Vulnerabilities

If you believe that you have found a vulnerability, please report it to A written description is required if you are sending a POC video. Our security team will interact with you directly from there. We encourage the use of encryption in your communications with us and ask that you encrypt your message to us whenever possible. Our public PGP key can be downloaded from here and is located at the bottom of this page.


In addition to the information provided above, the following Terms also apply to your participation in Groupon’s Responsible Disclosure Program. Please note that whether to award bounties and the bounty awarded for identified issues will vary and remain at all times at Groupon’s discretion. If multiple vulnerabilities are reported or are closely related, we may choose to only award a single bounty. We may choose not to award bounties when we launch new products for a beta period, or otherwise are actively in a development or upkeep cycle. We may also require documentation for tax reporting purposes before we are able to pay certain bounties and we are unable to award bounties to individuals or in situations where to do so would violate a sanction list maintained by the U.S. Office of Foreign Assets Control (“OFAC”) or conflict with the letter or spirit of other applicable State, Federal or Territorial law, rule or regulation. Notwithstanding any of the above, Groupon reserves the right to cancel or modify this program at any time and without notice.


Any information you receive or collect about Groupon, its affiliates or any of their users, employees or agents in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, publish, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without Groupon’s prior written authorization.

Last Updated: January 25, 2017

Our PGP key:



PGP Fingerprint:
2B23 9686 089B 5D61 5D47  895F A4D1 BF1C 176E D385