Image-based social network Pinterest has launched a bug bounty program powered by the crowdsourced-driven vulnerability disclosure platform Bugcrowd.
Pinterest has a team of people dedicated to finding and fixing bugs, and it has also collaborated with external security experts to ensure that the platform is secure, the company said. In an effort to make the social media website bug-free, the company has now launched an official bug bounty program, and updated its responsible disclosure statement.
“We hope these updates will allow us to learn more from the security community and respond faster to Whitehats,” Paul Moreno, a security engineer at Pinterest, noted Tuesday in a blog post.
For the time being, security experts and researchers who report vulnerabilities are only mentioned in the company’s hall of fame, and rewarded with Kudos points, which can be used to access private bounties where only the top researchers are invited. Some reports are also eligible for “swag” (i.e., a shirt).
“This is just the first step,” Moreno added. “As we gather feedback from the community, we have plans to turn the bug bounty into a paid program, so we can reward experts for their efforts with cash.”
Through the new program, bounty hunters can report security holes found in the main website, www.pinterest.com, and the following subdomains: api.pinterest.com, about.pinterest.com, business.pinterest.com, blog.pinterest.com, help.pinterest.com, developers.pinterest.com and engineering.pinterest.com.
Those who identify flaws are asked to provide enough details to reproduce the vulnerability, give Pinterest a reasonable amount of time to come up with a fix before making any information public, and avoid unauthorized data access and service disruption while conducting tests.
In return, Pinterest promises to send a confirmation when receiving reports, provide an estimate of how long the fix will take, and inform the reporter of when the vulnerability is fixed.