Pornhub is stepping up its security by inviting hackers to find bugs on its website and get rewarded in cash. Following in the footsteps of major tech companies such as Amazon, Google, Yahoo, Adobe, Twitter and Facebook, Pornhub has launched its own bug bounty programme where it is promising a reward of up to $25,000 for discovering and discreetly reporting a flaw in its website that could be exploited by criminals.
The online adult entertainment site launched the new programme through HackerOne, which hosts bug bounty programmes for various companies. Pornhub's bug bounty programme is a follow-up of a private beta programme that was launched last year and used to fix around two dozen issues.
"Like other major tech players have been doing as of late, we're tapping some of the most talented security researchers as a proactive and precautionary measure — in addition to our dedicated developer and security teams — to ensure not only the security of our site but that of our users, which is paramount to us," Corey Price, vice president at Pornhub, said in a statement.
Pornhub rewards range between $50 and $25,000, depending on the severity of the bug. Payments will be made via HackerOne. According to the company's VP, the new programme will help protect and improve security of the site, which entertains 60 million visitors daily.
Popular sites are often the target of cybercriminals and Pornhub has been attacked several times in the past, mostly from malicious ads on the site. Even though the new programme allows researchers or white-hat hackers to explore flaws in the site, Pornhub has a strict code that needs to be followed in order to get rewarded.
HackerOne has explained the eligibility criteria that is essential to qualify for a reward when a researcher finds a bug in Pornhub site. Researchers must report any vulnerability within 24 hours after discovery and not disclose details of the flaw anywhere. Researchers cannot leak or destroy users' data on the site or test against one's own accounts.
HackerOne also notes that "any activity that would disrupt, damage or adversely affect any third-party data or account is not allowed." DoS attacks, automated tools or scans, botnet, CSRF (cross site request forgery), cross domain leakage, click-jacking and rate-limiting are some of the restricted activities in the bug bounty programme.