Pinterest has become the latest major Web property to start a bug bounty program, joining the Bugcrowd platform and offering researchers rewards of up to…a shirt.

The site, which enables users to post photos, recipes and other information, announced the new reward program Tuesday. Company officials said that Pinterest was looking for more people to help find bugs in the various Web properties it operates. The company already works with external researchers and holds internal “fix-a-thons” to encourage employees to find bugs.

“Even with these precautions, bugs get into code. Over the years, we’ve worked with external researchers and security experts who’ve alerted us to bugs. Starting today, we’re formalizing a bug bounty program with Bugcrowd and updating our responsible disclosure, which means we can tap into the more than 9,000 security researchers on the Bugcrowd platform. We hope these updates will allow us to learn more from the security community and respond faster to Whitehats,” Paul Moreno, a security engineer at Pinterest, wrote in a blog post announcing the program.

The main pinterest.com domain is the target for the bug bounty program, but it includes a number of subdomains:

• api.pinterest.com 
• www.pinterest.com 
• about.pinterest.com 
• business.pinterest.com 
• blog.pinterest.com 
• help.pinterest.com 
• developers.pinterest.com 
• engineering.pinterest.com

Moreno said that while a shirt and a mention in the company’s hall of fame are the only rewards available in the program right now, that may change in the future as the program matures and attracts more researchers.

“This is just the first step. As we gather feedback from the community, we have plans to turn the bug bounty into a paid program, so we can reward experts for their efforts with cash,” he said.

Bugcrowd is a platform that allows companies to run their bug bounty programs and expose them to a vetted group of security researchers and testers. Many large companies choose to run their bug bounties on their own, including Facebook, Microsoft, PayPal and others. But Bugcrowd allows organizations to hand off some of the details to a third party.

 

Categories: Vulnerabilities, Web Security

Comments (3)

  1. Marisa Fagan
    1

    Thanks for the mention, Dennis. We’re excited to be working with Pinterest and looking forward to their continued successful interactions with security researchers in the future.

    -Marisa
    Community Manager, Bugcrowd

    Reply
  2. Fraud
    2

    I can ensure that reporting issues to Pinterest is a complete waste of time: I have been waiting for a reply from this company more than 6 months, and what I get from them days ago has been a single line telling me that they are already aware of all the vulnerabilities I disclosed to them in 2013.

    Reply
    • Ellie Kesselman
      3

      It is discouraging to me, as a Pinterest user concerned about security, to learn of your experience in reporting issues. I’m not surprised though, given how seriously Pinterest has NOT decided to take their bug bounty program, as indicated by the prize for bug finders: a T-shirt.

      Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>