Pinterest throws cash at topless bug-finders
Pictorial network gets its gear off to refresh bug bounty program
Pinterest has stopped giving out t-shirts and started paying cash for vulnerabilities found under its bug bounty program.
The web clipboard will offer up to US$200 under the BugCrowd-managed program for nine of its assets, including the Android and iOS applications.
Security engineering lead Paul Moreno said the number of bug reports increased tenfold since it launched its tee-shirt bug bounty prior to its migration to HTTPS. "Prior to the HTTPS migration, we were hesitant to open a paid bug bounty program because of a number of known vulnerabilities associated with being only HTTP," Moreno says.
"Now that a number of gaps have been closed as a result of the migration, we’re happy to announce that we’ve upgraded the program with payouts results.
"We highly encourage the whitehat hacker community to use our program and report bugs, which helps us keep Pinners safe and increase our security posture."
Top bounties will go to remote code execution, "significant" authentication bypass, cross site request forgery, and cross-site scripting.
Punters bearing HTTPOnly cookie flags and end of life browser bugs need not apply.
Pinterest ran into some problems during its lauded HTPPS migration beginning in Briton including impact to browser performance, mixed secure and insecure content warnings, and higher content delivery network costs. ®