There’s been a fair bit of news about bug bounty programs in the past year or so, with Twitter officially starting to pay bug bounties at the end of 2014 and Google recently removing the caps from their program and making Pwnium all year round.
The latest news is Pinterest bug bounty program has started paying (finally), before this they just offered t-shirts and were sceptical about opening up paid bounties as they were exposed to multiple flaws because they hadn’t fully adopted HTTPS.
Pinterest’s journey toward becoming a fully HTTPS website opened a lot of doors, including a potentially profitable one for hackers.
The social networking site this week announced that it would begin paying cash rewards through its bug bounty program, upping the stakes from the T-shirt it originally offered last May when it kicked off the Bugcrowd-hosted initiative.
The news complements Pinterest’s full adoption of encrypted communication and traffic from its website.
“I feel HTTPS will soon be seen as a requirement for anyone doing business online,” said Paul Moreno, security engineering lead on Pinterest’s cloud team.
Pinterest spells out the scope of its bounty program on its Bugcrowd page. The company said it will start paying between $25 and $200 for vulnerabilities found on a number of Pinterest properties, including its developer site, iOS and Android mobile applications, API, and ads pages among others.
“We have a strong experimentation culture and we feel that HTTPS foundation provides the minimal baseline for us to get higher value bugs,” Moreno told Threatpost. “We are experimenting with the paid approach for these community sourced higher value bugs and will evaluate the program periodically.”
The bug bounty payout was discussed during the announcement of their full move to HTTPS and discusses some of the issues they faced and of course the good parts of moving to a full HTTPS site.
You can read the original full blog post here: Making Pinterest HTTPS
Many high-value Internet properties have moved to HTTPS in the wake of the Snowden revelations. The continuous flow of leaked documents demonstrating the breadth of government surveillance and collection of personal data has accelerated a number of tech companies’ migrations to HTTPS.
Moreno said that Pinterest’s move to HTTPS, however, was not without its challenges. Standing out among them was the site’s working relationships with content delivery networks (CDNs) that support HTTPS and Pinterest’s digital certificates. Other expected challenges, Moreno said, were some marginal performance issues, older browser support, mixed content warnings, and referral header removal from HTTPS to HTTP sites.
Once a test was rolled out to its large Pinner community in the U.K., Moreno said some unexpected issues cropped up including CDN content that broke the site’s Pin It functionality and some sitemap files that were not updated to point to HTTPS domains. Those were addressed respectively by orchestrating a DNS change to a new CDN provider, and the implementation of a meta referrer header to support HTTPS tracking to HTTP sites.
“In addition, having multiple CDN providers that supported HTTPS gave us options for performance as well as commercial leverage,” Moreno said in a blogpost announcing the move.
“In the end, we enhanced the privacy of Pinners by enabling encryption while also hindering exploitation by way of man-in-the-middle attacks, session hijacking, content injection, etc. This also paved the way for future products that may require HTTPS to launch,” Moreno said.
The bug bounty program with more details can be found here: Pinterest @ Bugcrowd with outlines for minimum rewards.
It basically covers all Pinterest domains, mobile apps and subdomains, and there’s been a 10x increase of bugs submitted – which is not surprising really. Money is WAY better than a t-shirt.