Sunday, 29 May 2016

On 01:04 by admin   3 comments
Ciaran (Mak) McNally, an experienced security researcher, detailed his experience with Pornhub's recently launched bug bounty program, and according to his story, the company is nowhere near close to paying the maximum advertised reward of $25,000.

McNally's account of his recent dealings with Pornhub's security engineers is a story of frustration. The researcher details how he got access to many of Pornhub's internal services, but the company either paid extremely small fees, or declined to pay him at all, proclaiming those services were out of the bug bounty's scope, even if common sense said they weren't.

The Dublin-based security expert says this all happened before the public announcement of the company's bug bounty program a few weeks back, while the program was in a closed beta, to which he was invited.

On his personal blog, McNally's revealed that he got access to a pornhubpremium.com content management system, for which he received only $750.

Another server he accessed included a panel called DECEPTICron for managing cron jobs across different Pornhub-owned services, for which he wasn't paid at all. Pornhub said the server was old and soon to be decommissioned.

He then managed to get read/write access to a plethora of SVN repositories, but was again paid only for a few with $500, while Pornhub marked many of these out of the bug bounty's scope.

"The [SVN] code had a lot of database passwords in it for multiple sites, along with lots of juicy looking stuff," the researcher explained.

Unfortunately, Pornhub didn't reward him with the vaunted $25,000 bug reward as it said it would in its press release, even if the researcher at this point could have entered malicious code into various Pornhub services and taken control of many of their services.

McNally also said that Pornhub also paid him $150 for a recurring XXE (XML External Entity) flaw found across multiple domains, but at this point it was clear the service wasn't living up to other bug bounty programs ran by other companies.

3 comments: