Pinterest is interested in showcasing more than cool lifestyle ideas—it’s also offering researchers an avenue to “pin” cyber-bugs, via a paid bounty program.
The program, which is run on BugCrowd, is an extension of a bounty initiative that Pinterest started last year. But while it was previously offering a spot in the “hall of fame” and a T-shirt, now the social recommendation site is paying up for flaws in its web property, mobile apps and ad platform.
A handful of issues are of particular interest, according to the company. Remote code execution flaws, for instance, will pay $200, as will significant authentication bypass issues. Cross site request forgery (CSRF) on critical actions and cross-site scripting (excluding self-XSS) will each pay $100.
Some findings are specifically excluded from the bounty, such as missing HTTP security headers, attacks requiring physical access to a user's device, password or account recovery policies, social engineering and logout CSRF problems, among others.
Pinterest, with 70+ million users (42% of online female adults in the US use the site, according to the Pew Internet Research Center), is a ripe target. It has faced serious problems in the past, like a flaw that would have allowed mass-email harvesting.
“Such a flaw could have spelled disaster in the hands of a black hat,” noted independent security researcher Dan Melamed at the time. “A hacker could have set up a bot to retrieve all of the email addresses from a list of users for spam or malicious purposes.”
The news comes as the site is transitioning to all-HTTPS for end-to-end traffic encryption. “I feel HTTPS will soon be seen as a requirement for anyone doing business online,” Paul Moreno, security engineering lead on Pinterest’s cloud team, told Kaspersky Lab. “We have a strong experimentation culture and we feel that HTTPS foundation provides the minimal baseline for us to get higher value bugs. We are experimenting with the paid approach for these community sourced higher value bugs and will evaluate the program periodically.”
The bounty program requires explicit permission to disclose the results of a submission, the company added, and researchers are not allowed to publicly disclose the vulnerability prior to Pinterest’s resolution of the issue.
So far, 36 bugs have been rewarded.