Pornhub, the self-proclaimed “premiere destination for adult entertainment”, has announced a bug bounty program.
The X-rated video site is offering up to $25,000 for anyone who reports previously unknown vulnerabilities on its website.
Naturally there are a few rules:
- Any vulnerability found must be reported no later than 24 hours after discovery.
- You are not allowed to disclose details about the vulnerability anywhere else.
- You must avoid tests that could cause degradation or interruption of our service.
- You must not leak, manipulate, or destroy any user data.
- You are only allowed to test against accounts you own yourself.
- The use of automated tools or scripted testing is not allowed.
And there are some types of vulnerabilities that Pornhub doesn’t appear to be interested in paying out for:
- Cross site request forgery (CSRF)
- Cross domain leakage
- Information disclosure
- XSS attacks via POST requests
- Missing SPF records
- HttpOnly and Secure cookie flags
- HTTPS related (such as HSTS)
- Session timeout
- Missing X-Frame or X-Content headers
- Click-jacking
- Rate-limiting
Personally I think that’s a bit of a shame, as I feel some of those would at least warrant Pornhub’s minimum payout of $25 (also known as 2.5 Yahoo t-shirts)
After all, the site claims to have over 60 million daily viewers and encourages.. ahem.. members to sign-up for premium accounts.
If it’s good enough for Pornhub, maybe it’s good enough for you.
Most companies with an online presence are at risk of having malicious hackers exploiting vulnerabilities on their sites, and potentially spurting out company secrets and customer information.
It’s unrealistic to imagine that all of the bugs on your site might be found by your internal staff – an external bug bounty program may be precisely what your firm needs to ensure that your online presence is kept ship-shape and Bristol fashion.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
