Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pornhub Launches Bug Bounty Program With Rewards Up To $25,000 (techweekeurope.co.uk)

Posted by BeauHD on from the 18-years-of-age-or-older dept.

Mickeycaskill quotes a report from TechWeekEurope UK: Pornhub is launching a bug bounty program for security researchers and pornography enthusiasts who are able to identify flaws on its platform. Hunters will be paid a minimum of $50 for each vulnerability discovered, with up to $25,000 on offer for particularly vicious flaws, although the site notes that 23 reports have already been resolved. Successful applicants to the scheme will need to be the first person to responsibly disclose an unknown issue, which the Pornhub security team has 30 days to respond to, and up to 90 days to implement a fix base on the severity of the report. However there are some restrictions, such as users not being allowed to carry out Denial of Service (DDoS) attacks on Pornhub, or even carry out physical attacks on the company's offices or data centers. Social engineering tactics are also not allowed, such as phishing attacks against Pornhub employees, and researchers are not allowed to compromise user accounts.

6 of 77 comments (clear)

  1. Re:Cash, sure ... by Anonymous Coward · · Score: 5, Funny

    "It was just a penetration test, I swear! I used protection!"

  2. Obvious Restrictions by mentil · · Score: 4, Insightful

    However there are some restrictions, such as users not being allowed to carry out Denial of Service (DDoS) attacks on Pornhub, or even carry out physical attacks on the company's offices or data centers. Social engineering tactics are also not allowed, such as phishing attacks against Pornhub employees, and researchers are not allowed to compromise user accounts.

    This should be obvious, as it's a BUG bounty. That is, the point is to find and fix bugs in computer code, not to recite a Security 101 list of potential attack vectors. However, given that pen testers use social engineering, and probably some try to sneak into offices to test physical security, it makes sense to clarify that it's bugs only and not full pen testing. DDoS isn't even really fixable, just mitigatable.

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
  3. Re:Cash, sure ... by Anonymous Coward · · Score: 3, Informative

    Pornhub is owned by a media conglomerate with a pretty unoffensive name. Regardless, working as a dev / pentest (yea, haha) for a porn site/application is not ill received in the industry. It's not as glorious as being an SDE for a big 4 but many of those sites have interesting scalability issues and other interesting problem spaces. From all of my reading (mostly on /r/cscareerquestions) it seems like working for one of these companies is perfectly acceptable and the office environment is very similar to any other.

  4. Re:Ladies and Gentlemen ... it's an AD CAMPAIGN by 110010001000 · · Score: 3, Funny

    Slashdot is declining too. Yet I visit every day!

  5. All Joking aside by backwardsposter · · Score: 3, Insightful

    Good for them

  6. Re: Cash, sure ... by drew_kime · · Score: 4, Interesting

    I have a relative who worked for a porn site. He focused on cross-browser JavaScript performance and security. He said the porn sites are a couple of years ahead of most online banking sites, and respond to updates and vulnerabilities much faster.

    --
    Nope, no sig