PornHub invites hackers and security researchers with bug bounty of $25,000

PornHub Will Pay You $25,000, If You Can Hack Its Website

The largest and popular pornography website on the Internet, PornHub has now opened up its bug bounty program to all in conjunction with HackerOne. PornHub’s rewards start at a minimum of $50 for small issues and can go up to as high as $25,000 for finding a huge problem.

HackeOne comes with an impressive list of happy clientele, including Slack, Dropbox, Uber, GM, and Twitter. The company pairs hackers with issues reported by companies and provides an amount for finding the bug.

PornHub’s vice president, Corey Price, who has high expectations from the program says:

“Like other major tech players have been doing as of late, we’re tapping some of the most talented security researchers as a proactive and precautionary measure — in addition to our dedicated developer and security teams — to ensure not only the security of our site but that of our users, which is paramount to us. The brand new program provides some of our developer-savvy fans a chance to earn some extra cash – upwards to $25K – and the opportunity to be included in helping to protect and enhance the site for our 60 million daily visitors.”

PornHub’s bug bounty program actually first debuted in May 2015 as a private, invite-only affair. About 10 to 15 security researchers participated. Of the 23 valid bugs that they reported, 21 bounties were issued for a total of $2,750. The highest payout was $1,250.

Security researchers are required to meet the following conditions to qualify for a bounty reward:

• Need to be the first to report a technical security vulnerability directly connected to the PornHub infrastructure
• Send a clear textual description of the report along with instructions to replicate the
• Include attachments such as screenshots or proof of concept code
• Disclose the vulnerability report directly and exclusively to PornHub

These are the basic conditions to follow for bug bounty programs. Also, public disclosure of the vulnerability prior to resolution will result in disqualification from the program.

PornHub does not allow any activity that would disturb, damage, or adversely affect any third-party data or account. The program also forbids denial of service attacks, compromising of user or employee accounts, physical attacks against offices and data centers, social engineering, and any form automated exploitation.

Further, the following vulnerabilities will not be considered for bounty:

• Cross site request forgery (CSRF)
• Cross domain leakage
• Information disclosure
• XSS attacks via Post requests
• Missing SPF records
• HttpOnly and Secure cookie flags
• HTTPS related (such as HSTS)
• Session timeout
• Missing X-Frame or X-Content headers
• Click-jacking
• Rate-miting

PornHub promises its security team will respond to all reports within 30 days. In addition, the company is promising up to 90 days to implement a fix, as long as the vulnerability disclosed is considered to be severe.

The site had made headlines recently this year for its April Fool’s Joke and the charity for breast cancer support.