This article originally appeared on Pinterest’s engineering blog, written by Devin Lundberg, Pinterest Tech Lead, Product Security.
When a security researcher discovers a bug in a piece of software, the responsible thing to do is inform the company so they can fix it. And so platforms like Pinterest need to provide clear and actionable programs, typically with rewards or recognition, for those with valid reports. For us, that’s come in the form of responsible disclosure policies, which we’ve evolved over the years.
We work with Bugcrowd to manage the program and integrate with their existing community of researchers, across a variety of Pinterest properties including pinterest.com subdomains (such as help.pinterest.com), mobile apps, browser extensions and open source projects. Since 2015 we’ve given monetary rewards (or “bounties”) to researchers and have continually raised those rewards. We leverage Bugcrowd’s vulnerability rating taxonomy to fairly assign rewards based on severity, which allows for a reasonable expectation of reward from researchers and helps to focus attention on the most impactful types of bugs.
The program has been a big success. Hundreds of researchers have participated in the program. We’ve rewarded more than $35,000 to more than 150 valid non-duplicate submissions, and the highest single reward was $2,500.
Today we’re once again announcing increased rewards for all tiers of bugs to show our continued commitment to responsible disclosure and researchers.