Pinterest

  • Points – $5,000 per vulnerability
  • Managed by Bugcrowd

Program stats

173 vulnerabilities rewarded

Validation within 4 days
75% of submissions are accepted or rejected within 4 days

$340 average payout (last 3 months)

Latest hall of famers

Recently joined this program

Pinterest is a place to discover ideas for all your projects and interests, hand-picked by people like you. We take our security very seriously and welcome any responsible disclosure of potential gaps in our systems.

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization of findings.

Please note: Rewards caps are strict and non-negotiable

Bonus Rewards

We are providing a special CTF-inspired bounty for our bugcrowd researchers. For the remainder of 2018, we will be awarding a P1 bounty of $5000 to anyone who can expose secret board name, secret board pin information (link, image, or description), or the account email on a specific pinterest account (username: bugbountyvictim). To be eligible for this bounty, you must be able to provide reproduction steps to expose this information, while following the scope of the bounty brief explicitly. The target is https://www.pinterest.com/bugbountyvictim/ and you have our permission to access (or try to access) any information associated with this specific account. Good luck!

Reward Range

Last updated
Technical severity Reward range
p1 Critical Up to: $5,000
p2 Severe $900 - $1,200
p3 Moderate $300 - $500
p4 Low Up to: $100
P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name Type
Pinterest iOS Mobile Application Other
Pinterest Android Mobile Application Other
Pinterest Buyable Pins / eCommerce features Other
Edge extension (download at: ms-windows-store://pdp/?productid=9nblggh4v89b ) Other
Chrome extension (download at: chrome.google.com/webstore/detail/pinterest-save-button/gpdjojdkbbmdfjfahjcgigfpmkopogic?hl=en) Other
Safari extension (download at: assets.pinterest.com/ext/Pinterest-Safari.safariextz) Other
Firefox extension (download at: assets.pinterest.com/ext/Pinterest_Firefox.xpi) Other
Open source projects listed at github.com/pinterest/ Other
*.pinterest.com Website

Vulnerabilities reported on other Pinterest properties or applications not listed as 'In scope' are currently not eligible for monetary rewards (as they come into scope, they will be added to this section). However, they are still eligible for our Hall of Fame.

Mobile applications can be downloaded at:

Focus Areas: These issues are of particular interest and will be considered for top rewards:

  • Remote Code Execution
  • Significant Authentication Bypass
  • Cross Site Request Forgery on Critical Actions
  • Cross Site Scripting (excluding self-XSS)
  • Pinterest Buyable Pins related security bugs
  • Exfiltration of Sensitive Data or PII

Out of Scope:

  • External authentication injection

Eligibility and Responsible Disclosure

We are pleased to thank every researcher who submits valid reports that help us improve the security of Pinterest. However, only those that meet the following eligibility requirements may receive a reward:

  • The vulnerability must be a qualifying vulnerability (see Scope)
  • We can’t be legally prohibited from rewarding you
  • You may not publicly disclose the vulnerability prior to our resolution
  • Not be employed by Pinterest or its subsidiaries or related entities

Terms and Conditions

  • Submitters must not access data except to the extent minimally required to identify a vulnerability; and that use of any data accessed must be limited to use for identifying and reporting the vulnerabilityYou must comply with all applicable laws in connection with your participation in this program.
  • As a condition of participation in this program, you hereby grant Pinterest, its affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferrable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Pinterest in connection therewith, for any purpose.
  • As well, this program is not an offer of employment, nor of a contractual relationship between Pinterest and any other party. You are also responsible for any applicable taxes associated with any reward you receive. We may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.

This bounty requires explicit permission to disclose the results of a submission.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.