This is one of those cases where it's the responsibility of the bug bounty platform operator (HackerOne) to ensure that its customer (PornHub) deals appropriately with bug bounty participants. If PornHub doesn't offer a clear scope and fair reward for effort, penetration testers may be disillusioned with the HackerOne brand also and choose not to partake in other bug bounty programs it oversees. And of course the platform cannot thrive without a large number of skilled and active testers.
This is so true. I work for a large social network and we recently got an email from an employee of a particular porn streaming company. They wanted to implement this new web compression protocol/algorithm into their systems and they had heard that we were doing the same.
Our solution involved writing Apache Traffic Server plugins and achieving high throughput. Their solution involved using PHP to execute the demo cli tool that came with the library and pass it the content they wanted to encode.
We interviewed a candidate who previously worked for sugardaddie.com. It was definitely an interesting conversation but I think yours would take the cake. :)
Yeah, that's too hard to top. I could only tweak it with PornHub penetration "expert" or "professional." I imagine the phrase protection would be avoided over security in that company given it has dual-meaning there. Wouldn't want people to think I dispensed... commodities... all day long. ;)
Exactly, even more it would be great publicity, at least to pentesters, if Hackerone would investigate one of these reports and publicly reprimand or even disqualify a site like PornHub.
But pentesters are not the ones paying for a HackerOne listing, those would be the companies, and perhaps the companies might not be so happy if HackerOne would publicly shame some of them.
Do hackers seek to make a living off bounties? It seems as if they just want a good, rewarding, motivating experience. To be treated with respect and to get the recognition they want. $50 for a vulnerability appears very low for this. Looking in the hackerone site, some companies publish how much they give to the hackers and most have a much more generous minimum reward.
I'd hope that some people, at least, actually want to fix problems and gain respect in their field. As opposed to engaging in criminal activity and selling out to the highest bidder.
It's easy to say "I do it for the respect, not the money" when you have enough money to get by.
There's plenty of guys out there who are searching for hacks like this because they need to feed their kids. I won't criticize them for selling bugs to nefarious entities.
Bug bounties aren't for guys like us who don't need the money.
People who want to gain professional respect are probably going to stay away from a pornhub bounty - I am not anti-porn, but I wouldn't put it on my resume either.
Also, regardless of good intentions at the start, once the company has screwed you over. I am sure it is tempting to return the favor with the next vulnerability you find.
Anecdotal, but I've heard friends of friends who earn 6 figure salaries worth of bounties for corporations, although some sound more like consultation type gigs.
I have friends that made their living off bug bounties for a few years. Eventually they get jobs at security firms, but sometimes you can't get a job without having some proof of experience.
Another grumbly hacker complaining about a bug bounty undervaluing their work.
It wasnt long ago that notifying a company that they had a vuln was an act that risked prosecution.
Bug bounties are a release valve. They are not a substitute for a job. They will never pay the same as crime. Writeups like this are not going to facilitate relationships with leaders in the security industry. This post and others like them are embarrassingly naive.
Money is money. Offer $25k and a researcher gets RCE on the vast majority of your scoped boxes, you better pay a substantial portion of that $25k. Shame on PornHub, I'll be using xvideos from now on.
Who cares about "facilitating relationships"? Thats a load of bullshit words. They offered an amount of money in exchange for some information, then neglected their responsibility.
Yeah you used to risk prosecution for doing stuff like that, then the site owners realized how brain dead that was and now they are trying to have a normal relationship because it is a huge bonus for them, not because they give a shit about the people who helped them out.
That's an amazingly regressive point of view. Sure, in the past such things risked prosecution but why exactly does it mean we have to figuratively knock stones together on vulnerability ethics? When cars were invented, a man had to run in front of the car with a red flag to warn others of it.
In 2016, everyone deserves privacy and security on the internet. We know and understand the dangers of vulnerabilities better, and I think we should be capable of having some respect and suitably compensating those who do the right thing.
If you can make the internet a more secure place for us to live our lives and make enough to live out of it, more power to you.
