Pornhub asks for help hardening its security

Insert your own pun here.


Pornhub, the self-proclaimed “premiere destination for adult entertainment”, has announced a bug bounty program.

The X-rated video site is offering up to $25,000 for anyone who reports previously unknown vulnerabilities on its website.

Sign up to our free newsletter.
Security news, advice, and tips.

Naturally there are a few rules:

  • Any vulnerability found must be reported no later than 24 hours after discovery.
  • You are not allowed to disclose details about the vulnerability anywhere else.
  • You must avoid tests that could cause degradation or interruption of our service.
  • You must not leak, manipulate, or destroy any user data.
  • You are only allowed to test against accounts you own yourself.
  • The use of automated tools or scripted testing is not allowed.

And there are some types of vulnerabilities that Pornhub doesn’t appear to be interested in paying out for:

  • Cross site request forgery (CSRF)
  • Cross domain leakage
  • Information disclosure
  • XSS attacks via POST requests
  • Missing SPF records
  • HttpOnly and Secure cookie flags
  • HTTPS related (such as HSTS)
  • Session timeout
  • Missing X-Frame or X-Content headers
  • Click-jacking
  • Rate-limiting

Personally I think that’s a bit of a shame, as I feel some of those would at least warrant Pornhub’s minimum payout of $25 (also known as 2.5 Yahoo t-shirts)

BugNonetheless, it seems quite sensible to me that a site as popular as Pornhub is encouraging researchers to report vulnerabilities directly to them, and is offering substantial monetary rewards.

After all, the site claims to have over 60 million daily viewers and encourages.. ahem.. members to sign-up for premium accounts.

If it’s good enough for Pornhub, maybe it’s good enough for you.

Most companies with an online presence are at risk of having malicious hackers exploiting vulnerabilities on their sites, and potentially spurting out company secrets and customer information.

It’s unrealistic to imagine that all of the bugs on your site might be found by your internal staff – an external bug bounty program may be precisely what your firm needs to ensure that your online presence is kept ship-shape and Bristol fashion.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.