Attacker Compromises Pornhub, Sells Shell Access for $1,000, Says Columnist

An anonymous reader writes: Four days after launching a bug bounty program, Pornhub is said to be compromised. The person responsible used a vulnerability in the user profile script that handles images (not ImageMagick) and is selling shell access on one of their servers for $1,000 USD. This is the second major website the hacker has shelled. Prior to Pornhub, they compromised the LA Times website.
CSO's security columnist notes that Pornhub "announced their bounty program on May 9, but it's a private, invite-only program managed by HackerOne. As such, it isn't clear if there would've been a way to report this flaw and collect a reward to begin with." In addition, on Twitter the attacker reportedly posted "I don't report vulnerabilities anymore, go underground or go home."

Good. Call them on their publicity stunts.

Bug bounties are bogus. Don't make a lottery out of security.

"I don't report vulnerabilities anymore"

[phayes]

"I don't report vulnerabilities anymore, go underground or go home."

Here's hoping I see a future /. story titled "PornHub Hacker arraigned today". I don't give a rat's ass that it's Pornhub, the sentiment that this guy has deserves the consequences in anti-hacking laws.

Re:"I don't report vulnerabilities anymore"

"I don't report vulnerabilities anymore, go underground or go home."

Here's hoping I see a future /. story titled "PornHub Hacker arraigned today". I don't give a rat's ass that it's Pornhub, the sentiment that this guy has deserves the consequences in anti-hacking laws.

As much as I get your feelings on this, the number of people who've been sued after reporting vulnerabilities makes me understand it.

Re:"I don't report vulnerabilities anymore"

[JaredOfEuropa]

The difference is: those other people did not deserve to be arrested. For finding a vulnerability and subsequently selling shell access, this guy does deserve it.