Security Experts:

Pinterest Starts Paying Researchers Who Report Vulnerabilities

Researchers who identify vulnerabilities in Pinterest’s domains or mobile applications can now earn monetary rewards, the social media company has announced.

When it launched its bug bounty program in May 2014, Pinterest only offered researchers the opportunity to earn Bugcrowd Kudos points and maybe a T-shirt. Now that the company has migrated its services to HTTPS, it has decided to start offering money to experts who contribute to making the platform secure.

“Prior to the HTTPS migration, we were hesitant to open a paid bug bounty program because of a number of known vulnerabilities associated with being only HTTP,” Paul Moreno, security engineering lead of Pinterest’s Cloud team, wrote in a blog post. “Now that a number of gaps have been closed as a result of the migration, we’re happy to announce that we’ve upgraded the program with payouts results, with a 10x increase in reports since launching the paid program.”

Pinterest’s bug bounty page on Bugcrowd now shows that researchers can earn a minimum of $25-$200 per bug. For example, the minimum reward for remote code execution and authentication bypass vulnerabilities is $200, while cross-site request forgery (CSRF) and cross-site scripting (XSS) flaws are eligible for a minimum $100 bounty.

For the time being, the following services are in the scope of the bug bounty program: pinterest.com, business.pinterest.com, help.pinterest.com, developers.pinterest.com, api.pinterest.com, about.pinterest.com, ads.pinterest.com, and the Pinterest mobile apps for Android and iOS.

Researchers who identify vulnerabilities in other properties or applications will not get a monetary reward, but they can have their names listed in Pinterest’s hall of fame.

The list of issues excluded from the bounty includes self-XSS, information disclosure caused by errors, flaws affecting outdated browsers, logout CSRF, open redirects when leaving the site, brute force attacks on the login and forgot password pages, missing HTTP security headers, and attacks requiring physical access to a targeted user’s device.

Pinterest says it has encountered several challenges during the HTTPS migration process. The challenges included CDN-related issues, impact on performance, older browser support, hardcoded HTTP functions and URLs in source files, and mixed content warnings.

“In the end, we enhanced the privacy of Pinners by enabling encryption while also hindering exploitation by way of man-in-the-middle attacks, session hijacking, content injection, etc. This also paved the way for future products that may require HTTPS to launch,” Moreno explained. “We will continue our journey towards HTTPS with further enhancements including HTTP Strict Transport Security (HSTS), which will prevent SSL stripping. We also plan to work with Chromium to preload our domain to prevent SSL stripping on a user’s first visit to Pinterest.”

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.