14 DAY TRIAL // Pornhub announced two days ago the launch of a security bug bounty program via the HackerOne platform that will pay independent researchers from $50 up to $25,000 for their findings.
Pornhub is only one of the most recent companies to open such programs, with almost all the big names (except Apple) running bug bounties for years. Only in the past months, companies like Uber, open-source projects like Tor, and even the Pentagon have entered the bug bounty arena. Nevertheless, there are still a lot of big-name firms that don't run such programs.
The move was needed since a company like Pornhub draws in about between 30 and 60 million users a day. Exploiting vulnerabilities in such a site allows threat groups access to a very large attack surface.
As so, the large number of malvertising campaigns that have targeted the site and other similar adult video hosting platforms should be of no surprise
Does Pornhub really expect proper bug reports within 24 hours?
According to Pornhub's bug bounty program specs, any security researcher is eligible to participate and submit bugs if he/she follows a set of rules.
The company wants researchers to report bugs within 24 hours after they discover them. Infosec researchers must avoid damaging any of Pornhub's network or cause service interruption of any kind.
Furthermore, the use of automated security testing tools is prohibited, as well as any kind of action that manipulates, leaks, or damages user data and privacy in any way.
For successful submissions and larger rewards, Pornhub recommends security researchers to put together well-explained reports, along with exploit code and recommended fixes.
Except the 24-hour submission window, most of these requirements are now de-factor industry standards in matters of bug reporting.
Pornhub says it will fix security issues within 90 days
PornHub says that based on the submitted reports, it will decide the reward amount for each submission. The company has taken the liberty of delaying answering to security bugs for up to 30 days, but says that researchers can publicly disclose security issues if the problem is not fixed in 90 days.
As usual with most bounty programs, DoS attacks, social engineering, and compromise of backend Pornhub employee accounts are out of the scope of the program. Only public frontend services are open to bug hunting.
Pornhub says it will ignore out of the get-go eleven bug types, such as XSS, CSRF, click-jacking, rate-limiting, HTTS-related bugs, and a few other more. In-depth details are available on Pornhub's HackerOne profile, where researchers have already reported 23 issues since the program launched.