Pinterest goes HTTPS, launches bug bounty with cashed-up Bugcrowd

Pinterest, the company that lets users pin the web, has switched on HTTPS for its website and launched a bug bounty with Australian-born crowdsourcing platform Bugcrowd, which has landed $6m in VC funding.

Pinterest has rolled out a more secure version of its website that supports the HTTPS protocol for encrypting data between its server and users browsers by default. HTTPS sites can be verified by a certificate authority that it is the site it claims to be.

Pinterest was until now just one of many websites that haven’t enabled HTTPS, but it also follows a growing number that do, including Twitter, Facebook, Yahoo and Google. Facebook originally offered HTTPS for its login page, but in 2012 made the whole site HTTPS. Google, a HTTPS trailblazer, last year flagged it would use HTTPS as a search ranking signal, giving sites an incentive to make the switch to HTPPS.

To see the details of the certificate Pinterest has used to verify its identity and whether the connection is secure, users can click the padlock icon in the address bar of Google’s Chrome browser.

Pinterest’s engineering team said it encountered a number of bumps along the way to implementing HTTPS but also saw a 10 percent increase in signups per day since it ironed out a previous redirect from a HTTP page to the HTTPS signup page.

Benefits from the implementation include encrypting traffic and thwarting man-in-the-middle attacks, session hijacking and content injection.

“We will continue our journey towards HTTPS with further enhancements including HTTP Strict Transport Security (HSTS), which will prevent SSL stripping. We also plan to work with Chromium to preload our domain to prevent SSL stripping on a user’s first visit to Pinterest,” said Paul Moreno, the security engineering lead on Pinterest’s cloud team.

At the outset the company was concerned it would face significantly higher costs from its content distribution network (CDN) providers due to the price of distributing the site’s image over HTTPS.

Pinterest turns to VC-backed Bugcrowd to unearth bugs

Along with the switch to HTTPS, Pinterest has teamed up with crowdsourced managed bug hunting platform Bugcrowd for its bounty program, for the first time offering hackers cash rewards between $25 to $200 per bug they find.

The company previously only offered recognition through Bugcrowd’s Hall of Fame, but will now pay $200 for a remote execution bugs or a “significant” authentication bypass.

will now pay $200: https://bugcrowd.com/pinterest

Bugcrowd, co-founded in 2012 by Australian entrepreneur, Casey Ellis, last week landed $6m in a series A round led by Costanoa Venture Capital, along with Rally Ventures, Paladin Capital Group and the Australian VC, Blackbird Ventures.

Having recently signed up enterprise companies like Western Union and Barracuda Networks, it’s showing signs the enterprise market is ready for its approach.

“Bugcrowds’s traction with more traditional enterprises outside of early tech companies is demonstrating the market is ready,” Jeremiah Grossman, the CEO of WhiteHat Security, who took on an advisory role to Bugcrowd along with the new funding.

This article is brought to you by Enex TestLab, content directors for CSO Australia.