Pinterest has become the latest major Web property to start a bug bounty program, joining the Bugcrowd platform and offering researchers rewards of up to…a shirt.
The site, which enables users to post photos, recipes and other information, announced the new reward program Tuesday. Company officials said that Pinterest was looking for more people to help find bugs in the various Web properties it operates. The company already works with external researchers and holds internal “fix-a-thons” to encourage employees to find bugs.
“Even with these precautions, bugs get into code. Over the years, we’ve worked with external researchers and security experts who’ve alerted us to bugs. Starting today, we’re formalizing a bug bounty program with Bugcrowd and updating our responsible disclosure, which means we can tap into the more than 9,000 security researchers on the Bugcrowd platform. We hope these updates will allow us to learn more from the security community and respond faster to Whitehats,” Paul Moreno, a security engineer at Pinterest, wrote in a blog post announcing the program.
The main pinterest.com domain is the target for the bug bounty program, but it includes a number of subdomains:
• api.pinterest.com
• www.pinterest.com
• about.pinterest.com
• business.pinterest.com
• blog.pinterest.com
• help.pinterest.com
• developers.pinterest.com
• engineering.pinterest.com
Moreno said that while a shirt and a mention in the company’s hall of fame are the only rewards available in the program right now, that may change in the future as the program matures and attracts more researchers.
“This is just the first step. As we gather feedback from the community, we have plans to turn the bug bounty into a paid program, so we can reward experts for their efforts with cash,” he said.
Bugcrowd is a platform that allows companies to run their bug bounty programs and expose them to a vetted group of security researchers and testers. Many large companies choose to run their bug bounties on their own, including Facebook, Microsoft, PayPal and others. But Bugcrowd allows organizations to hand off some of the details to a third party.