Pornhub asks for help hardening its security

Insert your own pun here.


Pornhub, the self-proclaimed “premiere destination for adult entertainment”, has announced a bug bounty program.

The X-rated video site is offering up to $25,000 for anyone who reports previously unknown vulnerabilities on its website.

Sign up to our free newsletter.
Security news, advice, and tips.

Naturally there are a few rules:

  • Any vulnerability found must be reported no later than 24 hours after discovery.
  • You are not allowed to disclose details about the vulnerability anywhere else.
  • You must avoid tests that could cause degradation or interruption of our service.
  • You must not leak, manipulate, or destroy any user data.
  • You are only allowed to test against accounts you own yourself.
  • The use of automated tools or scripted testing is not allowed.

And there are some types of vulnerabilities that Pornhub doesn’t appear to be interested in paying out for:

  • Cross site request forgery (CSRF)
  • Cross domain leakage
  • Information disclosure
  • XSS attacks via POST requests
  • Missing SPF records
  • HttpOnly and Secure cookie flags
  • HTTPS related (such as HSTS)
  • Session timeout
  • Missing X-Frame or X-Content headers
  • Click-jacking
  • Rate-limiting

Personally I think that’s a bit of a shame, as I feel some of those would at least warrant Pornhub’s minimum payout of $25 (also known as 2.5 Yahoo t-shirts)

Bug Nonetheless, it seems quite sensible to me that a site as popular as Pornhub is encouraging researchers to report vulnerabilities directly to them, and is offering substantial monetary rewards.

After all, the site claims to have over 60 million daily viewers and encourages.. ahem.. members to sign-up for premium accounts.

If it’s good enough for Pornhub, maybe it’s good enough for you.

Most companies with an online presence are at risk of having malicious hackers exploiting vulnerabilities on their sites, and potentially spurting out company secrets and customer information.

It’s unrealistic to imagine that all of the bugs on your site might be found by your internal staff – an external bug bounty program may be precisely what your firm needs to ensure that your online presence is kept ship-shape and Bristol fashion.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.