Pinterest Bug Bounty Program Starts Paying


There’s been a fair bit of news about bug bounty programs in the past year or so, with Twitter officially starting to pay bug bounties at the end of 2014 and Google recently removing the caps from their program and making Pwnium all year round.

Pinterest Bug Bounty Program Starts Paying

The latest news is Pinterest bug bounty program has started paying (finally), before this they just offered t-shirts and were sceptical about opening up paid bounties as they were exposed to multiple flaws because they hadn’t fully adopted HTTPS.

Pinterest’s journey toward becoming a fully HTTPS website opened a lot of doors, including a potentially profitable one for hackers.

The social networking site this week announced that it would begin paying cash rewards through its bug bounty program, upping the stakes from the T-shirt it originally offered last May when it kicked off the Bugcrowd-hosted initiative.

The news complements Pinterest’s full adoption of encrypted communication and traffic from its website.

“I feel HTTPS will soon be seen as a requirement for anyone doing business online,” said Paul Moreno, security engineering lead on Pinterest’s cloud team.

Pinterest spells out the scope of its bounty program on its Bugcrowd page. The company said it will start paying between $25 and $200 for vulnerabilities found on a number of Pinterest properties, including its developer site, iOS and Android mobile applications, API, and ads pages among others.

“We have a strong experimentation culture and we feel that HTTPS foundation provides the minimal baseline for us to get higher value bugs,” Moreno told Threatpost. “We are experimenting with the paid approach for these community sourced higher value bugs and will evaluate the program periodically.”


The bug bounty payout was discussed during the announcement of their full move to HTTPS and discusses some of the issues they faced and of course the good parts of moving to a full HTTPS site.

You can read the original full blog post here: Making Pinterest HTTPS

Many high-value Internet properties have moved to HTTPS in the wake of the Snowden revelations. The continuous flow of leaked documents demonstrating the breadth of government surveillance and collection of personal data has accelerated a number of tech companies’ migrations to HTTPS.

Moreno said that Pinterest’s move to HTTPS, however, was not without its challenges. Standing out among them was the site’s working relationships with content delivery networks (CDNs) that support HTTPS and Pinterest’s digital certificates. Other expected challenges, Moreno said, were some marginal performance issues, older browser support, mixed content warnings, and referral header removal from HTTPS to HTTP sites.

Once a test was rolled out to its large Pinner community in the U.K., Moreno said some unexpected issues cropped up including CDN content that broke the site’s Pin It functionality and some sitemap files that were not updated to point to HTTPS domains. Those were addressed respectively by orchestrating a DNS change to a new CDN provider, and the implementation of a meta referrer header to support HTTPS tracking to HTTP sites.

“In addition, having multiple CDN providers that supported HTTPS gave us options for performance as well as commercial leverage,” Moreno said in a blogpost announcing the move.

“In the end, we enhanced the privacy of Pinners by enabling encryption while also hindering exploitation by way of man-in-the-middle attacks, session hijacking, content injection, etc. This also paved the way for future products that may require HTTPS to launch,” Moreno said.

The bug bounty program with more details can be found here: Pinterest @ Bugcrowd with outlines for minimum rewards.

It basically covers all Pinterest domains, mobile apps and subdomains, and there’s been a 10x increase of bugs submitted – which is not surprising really. Money is WAY better than a t-shirt.

Source: ThreatPost

Posted in: Exploits/Vulnerabilities, Web Hacking

,


Latest Posts:


ZigDiggity - ZigBee Hacking Toolkit ZigDiggity – ZigBee Hacking Toolkit
ZigDiggity a ZigBee Hacking Toolkit is a Python-based IoT (Internet of Things) penetration testing framework targeting the ZigBee smart home protocol.
RandIP - Network Mapper To Find Servers RandIP – Network Mapper To Find Servers
RandIP is a nim-based network mapper application that generates random IP addresses and uses sockets to test whether the connection is valid or not with additional tests for Telnet and SSH.
Nipe - Make Tor Default Gateway For Network Nipe – Make Tor Default Gateway For Network
Nipe is a Perl script to make Tor default gateway for network, this script enables you to directly route all your traffic from your computer to the Tor network.
Mosca - Manual Static Analysis Tool To Find Bugs Mosca – Manual Static Analysis Tool To Find Bugs
Mosca is a manual static analysis tool written in C designed to find bugs in the code before it is compiled, much like a grep unix command.
Slurp - Amazon AWS S3 Bucket Enumerator Slurp – Amazon AWS S3 Bucket Enumerator
Slurp is a blackbox/whitebox S3 bucket enumerator written in Go that can use a permutations list to scan externally or an AWS API to scan internally.
US Government Cyber Security Still Inadequate US Government Cyber Security Still Inadequate
Surprise, surprise, surprise - an internal audit of the US Government cyber security situation has uncovered widespread weaknesses, legacy systems and poor adoption of cyber controls and tooling.


Comments are closed.