{"id":3883,"date":"2015-03-19T03:54:45","date_gmt":"2015-03-18T19:54:45","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=3883"},"modified":"2016-02-04T02:53:24","modified_gmt":"2016-02-03T18:53:24","slug":"pinterest-bug-bounty-program-starts-paying","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2015\/03\/pinterest-bug-bounty-program-starts-paying\/","title":{"rendered":"Pinterest Bug Bounty Program Starts Paying"},"content":{"rendered":"<p>There&#8217;s been a fair bit of news about <a href=\"https:\/\/www.darknet.org.uk\/tag\/bug-bounty\/\">bug bounty<\/a> programs in the past year or so, with <a href=\"https:\/\/www.darknet.org.uk\/2014\/09\/twitter-bug-bounty-official-started-paying-bugs\/\">Twitter officially starting to pay bug bounties at the end of 2014<\/a> and <a href=\"https:\/\/www.darknet.org.uk\/2015\/02\/google-expands-pwnium-year-round-with-infinite-bounty\/\">Google recently removing the caps from their program and making Pwnium all year round<\/a>.<\/p>\n<p align=\"center\"><img decoding=\"async\" src=\"https:\/\/farm8.staticflickr.com\/7646\/16670724319_e725cdeb2f.jpg\" alt=\"Pinterest Bug Bounty Program Starts Paying\" \/><\/p>\n<p>The latest news is Pinterest bug bounty program has started paying (finally), before this they just offered t-shirts and were sceptical about opening up paid bounties as they were exposed to multiple flaws because they hadn&#8217;t fully adopted HTTPS.<\/p>\n<blockquote><p>Pinterest\u2019s journey toward becoming a fully HTTPS website opened a lot of doors, including a potentially profitable one for hackers.<\/p>\n<p>The social networking site this week announced that it would begin paying cash rewards through its bug bounty program, upping the stakes from the T-shirt it originally offered last May when it kicked off the Bugcrowd-hosted initiative.<\/p>\n<p>The news complements Pinterest\u2019s full adoption of encrypted communication and traffic from its website.<\/p>\n<p>\u201cI feel HTTPS will soon be seen as a requirement for anyone doing business online,\u201d said Paul Moreno, security engineering lead on Pinterest\u2019s cloud team.<\/p>\n<p>Pinterest spells out the scope of its bounty program on its Bugcrowd page. The company said it will start paying between $25 and $200 for vulnerabilities found on a number of Pinterest properties, including its developer site, iOS and Android mobile applications, API, and ads pages among others.<\/p>\n<p>\u201cWe have a strong experimentation culture and we feel that HTTPS foundation provides the minimal baseline for us to get higher value bugs,\u201d Moreno told Threatpost. \u201cWe are experimenting with the paid approach for these community sourced higher value bugs and will evaluate the program periodically.\u201d<\/p><\/blockquote>\n<script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3033787195489589\"\r\n     crossorigin=\"anonymous\"><\/script>\r\n<!-- Darknet Responsive Post Ad Links [previously link ad unit] -->\r\n<ins class=\"adsbygoogle\"\r\n     style=\"display:block\"\r\n     data-ad-client=\"ca-pub-3033787195489589\"\r\n     data-ad-slot=\"5456620019\"\r\n     data-ad-format=\"auto\"><\/ins>\r\n<script>\r\n     (adsbygoogle = window.adsbygoogle || []).push({});\r\n<\/script>\n<p>The bug bounty payout was discussed during the announcement of their full move to HTTPS and discusses some of the issues they faced and of course the good parts of moving to a full HTTPS site.<\/p>\n<p>You can read the original full blog post here: <a href=\"http:\/\/engineering.pinterest.com\/post\/113537918179\/making-pinterest-https\">Making Pinterest HTTPS<\/a><\/p>\n<blockquote><p>Many high-value Internet properties have moved to HTTPS in the wake of the Snowden revelations. The continuous flow of leaked documents demonstrating the breadth of government surveillance and collection of personal data has accelerated a number of tech companies\u2019 migrations to HTTPS.<\/p>\n<p>Moreno said that Pinterest\u2019s move to HTTPS, however, was not without its challenges. Standing out among them was the site\u2019s working relationships with content delivery networks (CDNs) that support HTTPS and Pinterest\u2019s digital certificates. Other expected challenges, Moreno said, were some marginal performance issues, older browser support, mixed content warnings, and referral header removal from HTTPS to HTTP sites.<\/p>\n<p>Once a test was rolled out to its large Pinner community in the U.K., Moreno said some unexpected issues cropped up including CDN content that broke the site\u2019s Pin It functionality and some sitemap files that were not updated to point to HTTPS domains. Those were addressed respectively by orchestrating a DNS change to a new CDN provider, and the implementation of a meta referrer header to support HTTPS tracking to HTTP sites.<\/p>\n<p>\u201cIn addition, having multiple CDN providers that supported HTTPS gave us options for performance as well as commercial leverage,\u201d Moreno said in a blogpost announcing the move.<\/p>\n<p>\u201cIn the end, we enhanced the privacy of Pinners by enabling encryption while also hindering exploitation by way of man-in-the-middle attacks, session hijacking, content injection, etc. This also paved the way for future products that may require HTTPS to launch,\u201d Moreno said.<\/p><\/blockquote>\n<p>The bug bounty program with more details can be found here: <a href=\"https:\/\/bugcrowd.com\/pinterest\">Pinterest @ Bugcrowd<\/a> with outlines for minimum rewards.<\/p>\n<p>It basically covers all Pinterest domains, mobile apps and subdomains, and there&#8217;s been a 10x increase of bugs submitted &#8211; which is not surprising really. Money is WAY better than a t-shirt.<\/p>\n<p>Source: <a href=\"https:\/\/threatpost.com\/https-opens-door-to-paid-pinterest-bug-bounty\/111687\">ThreatPost<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>There&#8217;s been a fair bit of news about bug bounty programs in the past year or so, with Twitter officially starting to pay bug bounties at the end of 2014 and Google recently removing the caps from their program and making Pwnium all year round. The latest news is Pinterest bug bounty program has started [&hellip;]<\/p>\n","protected":false},"author":25,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"So the Pinterest Bug Bounty program has actually started paying out cash dollars instead of just t-shirts after a full move to HTTPS.","_seopress_robots_index":"","_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[10,15],"tags":[4814,8181],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Darknet","author_link":"https:\/\/www.darknet.org.uk\/author\/darknet\/"},"_links":{"self":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/3883"}],"collection":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/users\/25"}],"replies":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/comments?post=3883"}],"version-history":[{"count":0,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/3883\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/media?parent=3883"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/categories?post=3883"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/tags?post=3883"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}