After having migrated their online properties to HTTPS and having sorted out the main problems that arose from the move, Pinterest is ready to pay researchers for information about bugs affecting their assets.
In the initial version of their bug bounty program, the rewards were T-shirts and a mention in the Hall of Fame.
“Prior to the HTTPS migration, we were hesitant to open a paid bug bounty program because of a number of known vulnerabilities associated with being only HTTP,” explained Paul Moreno, the security engineering lead on the Pinterest Cloud team.
“Now that a number of gaps have been closed as a result of the migration, we’re happy to announce that we’ve upgraded the program with payouts results, with a 10x increase in reports since launching the paid program. We highly encourage the whitehat hacker community to use our program and report bugs, which helps us keep Pinners safe and increase our security posture.”
The company would like researchers to focus on finding Remote Code Execution, Significant Authentication Bypass, Cross Site Request Forgery on Critical Actions, Cross Site Scripting (excluding self-XSS) vulnerabilities.
Information about the first two types of flaws is worth to the company a minimum of $200. Those who flag flaws from the latter two categories will received at least $100. There is no mention about the maximum amounts.
The list of flaws excluded from the bounty is a bit longer.
As before, Pinterest in interested in bugs affecting their mobile apps (for Android and iOS), their main page (pinterest.com), several subdomains (business, help, developers, about, and ads), and their API.