UPDATE: Pornhub has updated its bug bounty program and retroactively upped the pay for many freelance researchers, including Ciaran McNally (who added the news to his blog post, linked below). Mr. McNally’s $750 reward became $5,000, for example, as shown on HackerOne. “This is our first bug bounty program and it has been quite a learning experience for us,” a Pornhub spokesperson wrote in a statement sent to the Observer. The payout table has been elaborated and now clarifies award expectations. “We want to be fair with every researcher, and as such we have retroactively credited all past submissions according to the new payout table,” the statement said.
A freelance security consultant found several serious vulnerabilities in Pornhub, but he was not paid anywhere close to the $25,000 maximum reward that the site has advertised, according to a blog post. Ciaran McNally wrote that he has been looking into bugs on Pornhub’s site for almost a year now, ever since its bug bounty program was first invite-only. In mid-May, the site opened up a bug bounty program on the site HackerOne, promising rewards for finding holes in its security, just like the big kids on the web do.
Mr. McNally post says that promises of hefty rewards motivated him to take the program seriously, but he later became disillusioned. “I basically had trouble understanding how a bounty program can advertise a large reward like $25,000 even though it has never paid out that much ever before,” he wrote the Observer in an email. “They also provide no indication of what kind of security issues could receive the top reward.”
In his post, he writes that many of his peers have reported “a bukkake” of $50 rewards. After finding several weaknesses, he wrote, “The highest reward I received was $750, this was for gaining access to a pornhubpremium.com content management system.”
“Essentially the worst issue I found was remote code execution,” he explained in his email. “This is generally a worst case scenario for an attack as the site administrators could be targeted directly by someone malicious.” With that level of access, among other exploits, he said he might have been able to view user information.
In his post, Mr. McNally shows evidence of gaining access to a content management system and to a server that would have let him run code on multiple sites. He also writes that he found passwords for some databases and gained access to a repository of version controlled files.
Pornhub announced the bug bounty program to the public on May 9. All bugs have to be reported exclusively to Pornhub within 24 hours of discovery and none of the hacks can disrupt Pornhub’s business (among other rules). Pornhub, like many of the top sites for adult content, is a property of MindGeek. Pornhub was not immediately available for comment.
“Now they have a public bounty and are getting a lot of media attention for being pro-security. Very disappointing and demotivational,” he concludes.
Mr. McNally is not the only hacker with these concerns. Another apparently tried to sell some vulnerabilities found on the site via Twitter, according to The Daily Dot (the tweets have since been deleted). This may have been more to make a point, however, about “bug bounties” as an effective way to crowdsource extremely cheap work out of freelance hackers. Participants in the Reddit forum r/netsec expressed the same frustration.
Bug bounties seem to look to hackers like design contests look to artists: a way to put a positive spin on asking loads of people to work for free (Pornhub has run design contests, too).
Mr. McNally put it in hacker terms, writing, “Be very cautious fellow hunters. Many will gladly fuck you over for a cheap pentest.”
