Ciaran (Mak) McNally, an experienced security researcher, detailed his experience with Pornhub’s recently launched bug bounty program, and according to his story, the company is nowhere near close to paying the maximum advertised reward of $25,000.

McNally’s account of his recent dealings with Pornhub’s security engineers is a story of frustration. The researcher details how he got access to many of Pornhub’s internal services, but the company either paid extremely small fees, or declined to pay him at all, proclaiming those services were out of the bug bounty’s scope, even if common sense said they weren’t.

McNally was an early participant in the company’s bug bounty

The Dublin-based security expert says this all happened before the public announcement of the company’s bug bounty program a few weeks back, while the program was in a closed beta, to which he was invited.

On his personal blog, McNally’s revealed that he got access to a content management system, for which he received only $750.

Another server he accessed included a panel called DECEPTICron for managing cron jobs across different Pornhub-owned services, for which he wasn’t paid at all. Pornhub said the server was old and soon to be decommissioned.

McNally's screenshot of DECEPTICron

McNally’s screenshot of DECEPTICron

He then managed to get read/write access to a plethora of SVN repositories, but was again paid only for a few with $500, while Pornhub marked many of these out of the bug bounty’s scope.

“The [SVN] code had a lot of database passwords in it for multiple sites, along with lots of juicy looking stuff,” the researcher explained.

Unfortunately, Pornhub didn’t reward him with the vaunted $25,000 bug reward as it said it would in its press release, even if the researcher at this point could have entered malicious code into various Pornhub services and taken control of many of their services.

McNally also said that Pornhub also paid him $150 for a recurring XXE (XML External Entity) flaw found across multiple domains, but at this point it was clear the service wasn’t living up to other bug bounty programs ran by other companies.

Researcher says but bounty was a way to get media attention

“It seemed to me that pornhub just marked stuff out of scope as I reported it and then narrowed their scope section on regular intervals,” McNally also added. “Now they have a public bounty and are getting a lot of media attention for being pro-security. Very disappointing and demotivational.”

While everyone looked to be very optimistic about Pornhub’s bug bounty program when it launched, opinions are quickly changing.

Just after the company launched its bug bounty, a hacker also contributed to this when he advertised a shell on Pornhub’s servers, which he said he sold to three people.

Pornhub’s answer was to call his finding a “hoax.” The hacker answered Pornhub on another news site, saying Pornhub has “stupid developers who claim there [sic] server cannot execute php.” After hearing of McNally’s dealings with Pornhub, the same hacker tweeted yesterday: “I guess im not the only one who had problems with pornhub.”

Softpedia has contacted Pornhub for comment. On Reddit, a Pornhub spokesperson provided the following statement regarding the researcher’s experience with its early bug bounty:

  Mak was invited into the program as a private beta. This has been a learning experience for us as it was our first bug bounty. As such, we truly appreciate any comments and suggestions from top researchers like him. We have made a lot of adjustments to both the program, our process for handling reports and the payout table since then. We will be releasing more detailed information on the payouts, what we consider high importance and why very soon.  

The services to which McNally could have commited cron jobs

The services to which McNally could have commited cron jobs

Let’s block ads! (Why?)

Related Posts

Facebook Comments

Return to Top ▲Return to Top ▲