Security Experts:

Connect with us

Hi, what are you looking for?



Pinterest Starts Paying Researchers Who Report Vulnerabilities

Researchers who identify vulnerabilities in Pinterest’s domains or mobile applications can now earn monetary rewards, the social media company has announced.

Researchers who identify vulnerabilities in Pinterest’s domains or mobile applications can now earn monetary rewards, the social media company has announced.

When it launched its bug bounty program in May 2014, Pinterest only offered researchers the opportunity to earn Bugcrowd Kudos points and maybe a T-shirt. Now that the company has migrated its services to HTTPS, it has decided to start offering money to experts who contribute to making the platform secure.

“Prior to the HTTPS migration, we were hesitant to open a paid bug bounty program because of a number of known vulnerabilities associated with being only HTTP,” Paul Moreno, security engineering lead of Pinterest’s Cloud team, wrote in a blog post. “Now that a number of gaps have been closed as a result of the migration, we’re happy to announce that we’ve upgraded the program with payouts results, with a 10x increase in reports since launching the paid program.”

Pinterest’s bug bounty page on Bugcrowd now shows that researchers can earn a minimum of $25-$200 per bug. For example, the minimum reward for remote code execution and authentication bypass vulnerabilities is $200, while cross-site request forgery (CSRF) and cross-site scripting (XSS) flaws are eligible for a minimum $100 bounty.

For the time being, the following services are in the scope of the bug bounty program:,,,,,,, and the Pinterest mobile apps for Android and iOS.

Researchers who identify vulnerabilities in other properties or applications will not get a monetary reward, but they can have their names listed in Pinterest’s hall of fame.

The list of issues excluded from the bounty includes self-XSS, information disclosure caused by errors, flaws affecting outdated browsers, logout CSRF, open redirects when leaving the site, brute force attacks on the login and forgot password pages, missing HTTP security headers, and attacks requiring physical access to a targeted user’s device.

Pinterest says it has encountered several challenges during the HTTPS migration process. The challenges included CDN-related issues, impact on performance, older browser support, hardcoded HTTP functions and URLs in source files, and mixed content warnings.

“In the end, we enhanced the privacy of Pinners by enabling encryption while also hindering exploitation by way of man-in-the-middle attacks, session hijacking, content injection, etc. This also paved the way for future products that may require HTTPS to launch,” Moreno explained. “We will continue our journey towards HTTPS with further enhancements including HTTP Strict Transport Security (HSTS), which will prevent SSL stripping. We also plan to work with Chromium to preload our domain to prevent SSL stripping on a user’s first visit to Pinterest.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.