Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Pinterest Launches Bug Bounty Program

Image-based social network Pinterest has launched a bug bounty program powered by the crowdsourced-driven vulnerability disclosure platform Bugcrowd.

Image-based social network Pinterest has launched a bug bounty program powered by the crowdsourced-driven vulnerability disclosure platform Bugcrowd.

Pinterest has a team of people dedicated to finding and fixing bugs, and it has also collaborated with external security experts to ensure that the platform is secure, the company said. In an effort to make the social media website bug-free, the company has now launched an official bug bounty program, and updated its responsible disclosure statement.

“We hope these updates will allow us to learn more from the security community and respond faster to Whitehats,” Paul Moreno, a security engineer at Pinterest, noted Tuesday in a blog post.

For the time being, security experts and researchers who report vulnerabilities are only mentioned in the company’s hall of fame, and rewarded with Kudos points, which can be used to access private bounties where only the top researchers are invited. Some reports are also eligible for “swag” (i.e., a shirt). 

“This is just the first step,” Moreno added. “As we gather feedback from the community, we have plans to turn the bug bounty into a paid program, so we can reward experts for their efforts with cash.”

Through the new program, bounty hunters can report security holes found in the main website, www.pinterest.com, and the following subdomains: api.pinterest.com, about.pinterest.com, business.pinterest.com, blog.pinterest.com, help.pinterest.com, developers.pinterest.com and engineering.pinterest.com.

Those who identify flaws are asked to provide enough details to reproduce the vulnerability, give Pinterest a reasonable amount of time to come up with a fix before making any information public, and avoid unauthorized data access and service disruption while conducting tests.

In return, Pinterest promises to send a confirmation when receiving reports, provide an estimate of how long the fix will take, and inform the reporter of when the vulnerability is fixed.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.