
Experience with PornHub's bug bounty: Scornhub - dlgeek
http://makthepla.net/blog/=/scornhub-bounty
======
amjo324
This is one of those cases where it's the responsibility of the bug bounty
platform operator (HackerOne) to ensure that its customer (PornHub) deals
appropriately with bug bounty participants. If PornHub doesn't offer a clear
scope and fair reward for effort, penetration testers may be disillusioned
with the HackerOne brand also and choose not to partake in other bug bounty
programs it oversees. And of course the platform cannot thrive without a large
number of skilled and active testers.

~~~
dTal
"PornHub penetration tester" would look... interesting on a resume.

~~~
stuxnet79
Once you have worked as a dev for at least one porno company you are pretty
much pigeonholed in the industry.

~~~
kyllo
And that means you have to use PHP forever.

~~~
therein
This is so true. I work for a large social network and we recently got an
email from an employee of a particular porn streaming company. They wanted to
implement this new web compression protocol/algorithm into their systems and
they had heard that we were doing the same.

Our solution involved writing Apache Traffic Server plugins and achieving high
throughput. Their solution involved using PHP to execute the demo cli tool
that came with the library and pass it the content they wanted to encode.

------
Arcane_NH
Hope they have patched everything reported and not paid for, because I'm sure
there are other parties who would find that information valuable.

------
eprime
Do hackers seek to make a living off bounties? It seems as if they just want a
good, rewarding, motivating experience. To be treated with respect and to get
the recognition they want. $50 for a vulnerability appears very low for this.
Looking in the hackerone site, some companies publish how much they give to
the hackers and most have a much more generous minimum reward.

~~~
mathgeek
Part of the equation is that companies offering bounties need to compete with
entities who also offer rewards for said knowledge.

~~~
mordechai9000
I'd hope that some people, at least, actually want to fix problems and gain
respect in their field. As opposed to engaging in criminal activity and
selling out to the highest bidder.

~~~
mabbo
It's easy to say "I do it for the respect, not the money" when you have enough
money to get by.

There's plenty of guys out there who are searching for hacks like this because
they need to feed their kids. I won't criticize them for selling bugs to
nefarious entities.

Bug bounties aren't for guys like us who don't need the money.

------
droopybuns
Another grumbly hacker complaining about a bug bounty undervaluing their work.

It wasnt long ago that notifying a company that they had a vuln was an act
that risked prosecution.

Bug bounties are a release valve. They are not a substitute for a job. They
will never pay the same as crime. Writeups like this are not going to
facilitate relationships with leaders in the security industry. This post and
others like them are embarrassingly naive.

~~~
corndoge
Money is money. Offer $25k and a researcher gets RCE on the vast majority of
your scoped boxes, you better pay a substantial portion of that $25k. Shame on
PornHub, I'll be using xvideos from now on.

