Online security has hit a new level of importance. Even pornography websites are starting to embrace good practices.
Pornhub, the largest porn site on the Internet, today launched a bug bounty program in conjunction with HackerOne. Rewards start at a minimum of $50 and can go up to as high as $25,000.
While Pornhub’s bug bounty program is opening publicly today, it actually first debuted in May 2015 as a private, invite-only affair. About 10 to 15 security researchers participated. Of the 23 valid bugs that they reported, 21 bounties were issued for a total of $2,750. The highest payout was $1,250.
To qualify for a bounty reward, security researchers must meet the following requirements:
June 5th: The AI Audit in NYC
Join us next week in NYC to engage with top executive leaders, delving into strategies for auditing AI models to ensure fairness, optimal performance, and ethical compliance across diverse organizations. Secure your attendance for this exclusive invite-only event.
- Be the first to report a technical security vulnerability directly related to the Pornhub infrastructure
- Send a clear textual description of the report along with steps to reproduce the vulnerability
- Include attachments such as screenshots or proof of concept code
- Disclose the vulnerability report directly and exclusively to Pornhub
This is pretty standard stuff for bug bounty programs. As you might expect, public disclosure of the vulnerability prior to resolution will result in disqualification from the program.
Pornhub does not allow any activity that would disrupt, damage, or adversely affect any third-party data or account. The program also prohibits denial of service attacks, physical attacks against offices and data centers, social engineering, compromising of user or employee accounts, and any form of automated exploitation.
Furthermore, the following vulnerabilities will not be considered for bounty:
- Cross site request forgery (CSRF)
- Cross domain leakage
- Information disclosure
- XSS attacks via Post requests
- Missing SPF records
- HttpOnly and Secure cookie flags
- HTTPS related (such as HSTS)
- Session timeout
- Missing X-Frame or X-Content headers
- Click-jacking
- Rate-limiting
Pornhub promises its security team will respond to all reports within 30 days. Furthermore, the company is committing up to 90 days to implement a fix, as long as the vulnerability disclosed is deemed severe.
“Like other major tech players have been doing as of late, we’re tapping some of the most talented security researchers as a proactive and precautionary measure — in addition to our dedicated developer and security teams — to ensure not only the security of our site but that of our users, which is paramount to us,” Pornhub vice president Corey Price said in a statement. “The brand new program provides some of our developer-savvy fans a chance to earn some extra cash – upwards to $25K – and the opportunity to be included in helping to protect and enhance the site for our 60 million daily visitors.”
Bug bounty programs are used by much larger tech companies, including Facebook, Google, and Microsoft, with great results. While Pornhub may not have their size and scope, its program is beneficial all the same: Staying ahead of the next security fiasco is priceless. It’s always better to find and fix a bug before it becomes a problem, especially when it comes to security. Rewarding security researchers with bounties costs peanuts compared to paying for a serious security snafu.
