No, I'm not surfing smut. I'm trying to score a bug bounty from P0rnhub

World's biggest flesh site offering cash if you can expose its seamy underbelly

The world's most popular porn site PornHub has launched a somewhat restrictive security bug bounty.

The site draws a eye-watering 60 million visitors a day and has been subject to breaches mainly limited to malvertising attacks which would generally not be uncovered by bug bounties.

PornHub is running its bug bounty on the HackerOne platform and is initially restricted in security scope.

Hackers must report bugs 24 hours after discovery, found without the use of automated tools, and must not interrupt the delivery of porn services.

"Security is a top priority at Pornhub," the site administrators write on the HackerOne bounty listing.

"If you believe you've found a security bug in the services listed in our scope, we will be happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery."

Bug bounty hackers need not submit bugs including cross-site request forgery, cross-site scripting via post requests, cross-domain leakage, or click-jacking, among a total of 11 exclusions.

Social engineering is, like other bounties, excluded along with denial of service attacks, and physical data centre intrusions.

The flesh merchant will pay between US$50 and a more titillating $US25,000.

So far 23 hackers have submitted bugs while browsing the site.

Malvertisers have ripped through porn sites infecting ads with exploit kits like Angler and Magnitude which more often than not deliver ransomware.

Feature: Malware menaces poison ads as Google, Yahoo! look away.

Those attacks do not result as a direct breach of the victim sites, but rather exploit the weaknesses in the global online advertising structure where high-pace and low-profit margins leave little room for complex buyer and content integrity checks.

Websites like Pornhub and, more usefully ad network operators, would need to implement security vetting to clamp down on the unabated malvertising menace. ®


Biting the hand that feeds IT © 1998–2017