Wednesday, 28 May 2014

I saved Pinterest's business and all I have to show for it is a t-shirt

Pinterest is gearing up a bug bounty programme which will pay security researchers to plug holes in the popular kittens'n'cupcakes site.
The programme today launched in an early phase where researchers could report bugs through managed bounty service BugCrowd although cash rewards are not yet on offer.

The digital scrapbook has also updated its own vulnerability reporting guidelines offering t-shirts in place of cash that have seen 13 researchers report bugs to the site.
Security engineer Paul Moreno said the site valued in May at $5 billion hosted events where its in-house dedicated teams competed to crush bugs.
"We even host internal fix-a-thons where employees across the company search for bugs so we can patch them before they affect Pinners," Moreno said in a post.
"Even with these precautions, bugs get into code ... starting today, we’re formalising a bug bounty programme with Bugcrowd and updating our responsible disclosure, which means we can tap into the more than 9000 security researchers on the Bugcrowd platform."
The BugCrowd deal was a "first step" which would evolve into a paid cash programme that Moreno expected would result in a more efficient disclosure process.
Detailed public Pinterest bug reports appear to be scarce. In February 2012 security researcher Shadab Siddiqui disclosed to Softpedia cross-site scripting, iframe injection and SQL injection flaws that he said could allow user accounts to be hijacked. Pinterest plugged the holes shortly after.

No comments:

Post a Comment