Many tech companies offer big rewards if you can tell them exactly how bad their security is. Until this week, Pinterest was just offering t-shirts.
But no longer: Pinterest is now joining the big leagues of companies with open “bug bounty” programs, offering cash rewards for enterprising hackers who help keep pinners safe by clueing Pinterest in on its holes and flaws. The program is run through Bugcrowd, a platform that, along with rival service HackerOne, serves as a marketplace for hackers to point out flaws in a corporation’s online services without fear of retribution—and maybe for a little cash.
As a quick reference, we threw together this chart of what tech companies pay their bounty hunters—either what they’re willing to pay as their heighest bounty, or their highest record-holding bounty reported.
If there are any glaring absences, there are a number of companies that don’t have public bounty programs. Dropbox and Airbnb, for example, have open bug bounty programs through HackerOne, but don’t advertise their payouts. Apple has an active disclosure program, but simply keeps a “Hall of Fame” where they put up the names of whoever reported the bug.
As for Pinterest’s meager offerings, it’s likely because their public bounty program is so new. Jonathan Cran, VP of Operations at Bugcrowd, explained it to us like this: At first, when developing a program, you set the bar low, and invite tons of people to weed out the easiest exploits and flaws. Later in the game, you raise the reward amounts to lure out the big guns—for evidence of this, check out the correlation between the above chart with the growth and age of the company with the pay-outs.
Without this kind of slow ramping-up, you risk blowing your whole cybersecurity budget on the first round of smaller bugs.
“Pinterest is early in their process,” Mr. Cran told the Observer. “I suspect you’ll see Pinterest’s program grow very quickly over time.”