Pornhub asks for help hardening its security

Insert your own pun here.

Pornhub

Pornhub, the self-proclaimed "premiere destination for adult entertainment", has announced a bug bounty program.

The X-rated video site is offering up to $25,000 for anyone who reports previously unknown vulnerabilities on its website.

Naturally there are a few rules:

  • Any vulnerability found must be reported no later than 24 hours after discovery.
  • You are not allowed to disclose details about the vulnerability anywhere else.
  • You must avoid tests that could cause degradation or interruption of our service.
  • You must not leak, manipulate, or destroy any user data.
  • You are only allowed to test against accounts you own yourself.
  • The use of automated tools or scripted testing is not allowed.

And there are some types of vulnerabilities that Pornhub doesn't appear to be interested in paying out for:

  • Cross site request forgery (CSRF)
  • Cross domain leakage
  • Information disclosure
  • XSS attacks via POST requests
  • Missing SPF records
  • HttpOnly and Secure cookie flags
  • HTTPS related (such as HSTS)
  • Session timeout
  • Missing X-Frame or X-Content headers
  • Click-jacking
  • Rate-limiting

Personally I think that's a bit of a shame, as I feel some of those would at least warrant Pornhub's minimum payout of $25 (also known as 2.5 Yahoo t-shirts)

BugNonetheless, it seems quite sensible to me that a site as popular as Pornhub is encouraging researchers to report vulnerabilities directly to them, and is offering substantial monetary rewards.

After all, the site claims to have over 60 million daily viewers and encourages.. ahem.. members to sign-up for premium accounts.

If it's good enough for Pornhub, maybe it's good enough for you.

Most companies with an online presence are at risk of having malicious hackers exploiting vulnerabilities on their sites, and potentially spurting out company secrets and customer information.

It's unrealistic to imagine that all of the bugs on your site might be found by your internal staff - an external bug bounty program may be precisely what your firm needs to ensure that your online presence is kept ship-shape and Bristol fashion.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

No comments yet.

Leave a Reply