Bug Bounty Programs became more exciting...

One fact of modern online times is indisputable – the number of various cyber attacks or data breaches is still growing. And it is always good to see companies which want to do something with it. We are not talking only about security companies or antivirus developers, but also about still growing number of companies which started their own Bug Bounty Programs. The conditions of them may vary, but the main principle is the same – to encourage hackers and security researchers to find and report bugs and holes in their services. And of course, these activities are rewarded.

One of the latest widely known companies which joined these rewarding activities, is PornHub. It is quite a logical step because PornHub is the world´s most popular porn site with a huge number of users (up to 60 millions a day) using the site everyday. So, it is cool to see such website to promote not only safe sex (sometimes (: ), but also a safe browsing.

The reward for finding and reporting bugs is very interesting as well. PornHub offers amounts between $50 and $25,000 depending on the importance and the possible impact of found vulnerabilities. PornHub is not alone in this. It collaborates with HackerOne, a bug bounty startup operating similar programs for other companies, e.g. Yahoo, Twitter, General Motors and many others. The PornHub´s attitude in this is to get the most talented researchers involved in a proactive and precautionary activities connected with the security of the website. The biggest focus is on the highest possible security of PornHub users.

If you want to participate in this program and you want to combine business with pleasure to have a chance to get up to $25,000, you must meet some requirements:

- Be the first to report a security bug directly related to the company infrastructure

- Send a description of your bug report, explaining the type of vulnerability and how it works

- Include screenshots and proof of concept code to substantiate your claim

- Disclose your finding directly and exclusively with Pornhub

It is important to say, that not all vulnerabilities are included in the program. For example, cross-site request forgery (CSRF), information disclosure, cross domain leakage, XSS attacks via Post requests, HTTPS related (such as HSTS), HttpOnly and Secure cookie flags, missing SPF records and session timeout are not part of the bounty program and these findings will not be rewarded. If you want to know even more, go to HackerOne website. We wish you luck in fulfilling your (security researching) dreams…