Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Pinterest Starts Paying Researchers Who Report Vulnerabilities

Researchers who identify vulnerabilities in Pinterest’s domains or mobile applications can now earn monetary rewards, the social media company has announced.

Researchers who identify vulnerabilities in Pinterest’s domains or mobile applications can now earn monetary rewards, the social media company has announced.

When it launched its bug bounty program in May 2014, Pinterest only offered researchers the opportunity to earn Bugcrowd Kudos points and maybe a T-shirt. Now that the company has migrated its services to HTTPS, it has decided to start offering money to experts who contribute to making the platform secure.

“Prior to the HTTPS migration, we were hesitant to open a paid bug bounty program because of a number of known vulnerabilities associated with being only HTTP,” Paul Moreno, security engineering lead of Pinterest’s Cloud team, wrote in a blog post. “Now that a number of gaps have been closed as a result of the migration, we’re happy to announce that we’ve upgraded the program with payouts results, with a 10x increase in reports since launching the paid program.”

Pinterest’s bug bounty page on Bugcrowd now shows that researchers can earn a minimum of $25-$200 per bug. For example, the minimum reward for remote code execution and authentication bypass vulnerabilities is $200, while cross-site request forgery (CSRF) and cross-site scripting (XSS) flaws are eligible for a minimum $100 bounty.

For the time being, the following services are in the scope of the bug bounty program: pinterest.com, business.pinterest.com, help.pinterest.com, developers.pinterest.com, api.pinterest.com, about.pinterest.com, ads.pinterest.com, and the Pinterest mobile apps for Android and iOS.

Researchers who identify vulnerabilities in other properties or applications will not get a monetary reward, but they can have their names listed in Pinterest’s hall of fame.

The list of issues excluded from the bounty includes self-XSS, information disclosure caused by errors, flaws affecting outdated browsers, logout CSRF, open redirects when leaving the site, brute force attacks on the login and forgot password pages, missing HTTP security headers, and attacks requiring physical access to a targeted user’s device.

Pinterest says it has encountered several challenges during the HTTPS migration process. The challenges included CDN-related issues, impact on performance, older browser support, hardcoded HTTP functions and URLs in source files, and mixed content warnings.

Advertisement. Scroll to continue reading.

“In the end, we enhanced the privacy of Pinners by enabling encryption while also hindering exploitation by way of man-in-the-middle attacks, session hijacking, content injection, etc. This also paved the way for future products that may require HTTPS to launch,” Moreno explained. “We will continue our journey towards HTTPS with further enhancements including HTTP Strict Transport Security (HSTS), which will prevent SSL stripping. We also plan to work with Chromium to preload our domain to prevent SSL stripping on a user’s first visit to Pinterest.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.