Pinterest is a place to discover ideas for all your projects and interests, hand-picked by people like you. We take our security very seriously and welcome any responsible disclosure of potential gaps in our systems.

Targets

In scope

  • *.pinterest.com
  • Open source projects listed at github.com/pinterest/
  • Firefox extension (download at: assets.pinterest.com/ext/Pinterest_Firefox.xpi)
  • Safari extension (download at: assets.pinterest.com/ext/Pinterest-Safari.safariextz)
  • Chrome extension (download at: chrome.google.com/webstore/detail/pinterest-save-button/gpdjojdkbbmdfjfahjcgigfpmkopogic?hl=en)
  • Edge extension (download at: ms-windows-store://pdp/?productid=9nblggh4v89b )
  • Pinterest Buyable Pins / eCommerce features
  • Pinterest Android Mobile Application
  • Pinterest iOS Mobile Application

Vulnerabilities reported on other Pinterest properties or applications (including acquisitions such as Instapaper) are currently not eligible for monetary rewards (as they come into scope, they will be added to this section). However, they are still eligible for our Hall of Fame at https://bugcrowd.com/pinterest/hall-of-fame

Mobile applications can be downloaded at:

  • https://itunes.apple.com/us/app/pinterest/id429047995?mt=8
  • https://play.google.com/store/apps/details?id=com.pinterest&hl=en

Focus Areas: These issues are of particular interest and will be considered for top rewards:

  • Remote Code Execution
  • Significant Authentication Bypass
  • Cross Site Request Forgery on Critical Actions
  • Cross Site Scripting (excluding self-XSS)
  • Pinterest Buyable Pins related security bugs
  • Exfiltration of Sensitive Data or PII

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization of findings.

Rules

This bounty follows Bugcrowd’s standard disclosure terms.

This bounty requires explicit permission to disclose the results of a submission.

Eligibility and Responsible Disclosure
We are pleased to thank every researcher who submits valid reports that help us improve the security of Pinterest. However, only those that meet the following eligibility requirements may receive a reward:


  • The vulnerability must be a qualifying vulnerability (see Scope)

  • We can’t be legally prohibited from rewarding you

  • You may not publicly disclose the vulnerability prior to our resolution

  • Not be employed by Pinterest or its subsidiaries or related entities

Terms and Conditions
As a condition of participation in this program, you hereby grant Pinterest, its affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferrable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Pinterest in connection therewith, for any purpose. You must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Pinterest and any other party. You are also responsible for any applicable taxes associated with any reward you receive. We may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.