PornHub Gets with the Bug Bounty Program

Adult entertainment website Pornhub is the latest firm to ask the white hat research community to help fortify it against attack, after launching a bug bounty program.

Like many other firms, it had launched the program in partnership with the HackerOne platform, and is offering anywhere between $50 and $25,000 depending on the severity of the reported flaw.

However, for any security researchers looking to make a quick buck there are strict rules around eligibility and exceptions.

Any bugs must be reported within 24 hours of discovery and the use of automated tools are prohibited.

Also, a total of 12 vulnerability types – including cross-site request forgery (CSRF), cross-site scripting (XSS) via Post requests, and cross-domain leakage – will not qualify for a reward.

The HackerOne page has the following:

“Security is a top priority at Pornhub. We strive to work with skilled security researchers to improve the security of our service. If you believe you've found a security bug in the services listed in our scope, we will be happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.”

Well-known adult sites like Pornhub have also become popular among the black hat community as a quick and easy means of spreading malware to as many users as possible.

Malvertising is a particularly popular tactic, although in most cases it can't be prevented by plugging holes on the site itself. In December last year Malwarebytes claimed compromised Flash ads served by adult advertising network AdXpansion were putting tens of millions at risk of infection.

It’s also widespread on the mobile web. In November last year, for example, Zscaler reported newly discovered ransomware and data stealing malware disguised as legitimate porn apps.

In February, researchers at Eset revealed they’d discovered 350 porn clicker trojans on Google Play over the previous seven months.

Porn sites also have to be on guard for hackers increasingly looking at their customer databases as a prime opportunity to extort money from users of such sites.

Last month, the emails and passwords of nearly four million users of the Naughty America site and affiliates apparently turned up on the dark web.

And according to tweets from the Have I Been Pwned site run by Troy Hunt this week, 107,000 accounts from a niche site known as The Rosebutt Board have been exposed in a new hack which could be highly embarrassing for those with .gov and .mil addresses who are apparently among those affected.

What’s hot on Infosecurity Magazine?