Pinterest goes HTTPS, launches bug bounty with cashed-up Bugcrowd

Pinterest, the company that lets users pin the web, has switched on HTTPS for its website and launched a bug bounty with Australian-born crowdsourcing platform Bugcrowd, which has landed $6m in VC funding.

Pinterest has rolled out a more secure version of its website that supports the HTTPS protocol for encrypting data between its server and users browsers by default. HTTPS sites can be verified by a certificate authority that it is the site it claims to be.

Pinterest was until now just one of many websites that haven’t enabled HTTPS, but it also follows a growing number that do, including Twitter, Facebook, Yahoo and Google. Facebook originally offered HTTPS for its login page, but in 2012 made the whole site HTTPS. Google, a HTTPS trailblazer, last year flagged it would use HTTPS as a search ranking signal, giving sites an incentive to make the switch to HTPPS.

To see the details of the certificate Pinterest has used to verify its identity and whether the connection is secure, users can click the padlock icon in the address bar of Google’s Chrome browser.

Pinterest’s engineering team said it encountered a number of bumps along the way to implementing HTTPS but also saw a 10 percent increase in signups per day since it ironed out a previous redirect from a HTTP page to the HTTPS signup page.

Benefits from the implementation include encrypting traffic and thwarting man-in-the-middle attacks, session hijacking and content injection.

“We will continue our journey towards HTTPS with further enhancements including HTTP Strict Transport Security (HSTS), which will prevent SSL stripping. We also plan to work with Chromium to preload our domain to prevent SSL stripping on a user’s first visit to Pinterest,” said Paul Moreno, the security engineering lead on Pinterest’s cloud team.

At the outset the company was concerned it would face significantly higher costs from its content distribution network (CDN) providers due to the price of distributing the site’s image over HTTPS.

Pinterest turns to VC-backed Bugcrowd to unearth bugs

Read more: A year on, commissioner “pleased” with Australian Privacy Principles momentum

Along with the switch to HTTPS, Pinterest has teamed up with crowdsourced managed bug hunting platform Bugcrowd for its bounty program, for the first time offering hackers cash rewards between $25 to $200 per bug they find.

The company previously only offered recognition through Bugcrowd’s Hall of Fame, but will now pay $200 for a remote execution bugs or a “significant” authentication bypass.

will now pay $200: https://bugcrowd.com/pinterest

Bugcrowd, co-founded in 2012 by Australian entrepreneur, Casey Ellis, last week landed $6m in a series A round led by Costanoa Venture Capital, along with Rally Ventures, Paladin Capital Group and the Australian VC, Blackbird Ventures.

Read more: Companies failing to maintain payment-card protections after PCI DSS certification

Having recently signed up enterprise companies like Western Union and Barracuda Networks, it’s showing signs the enterprise market is ready for its approach.

“Bugcrowds’s traction with more traditional enterprises outside of early tech companies is demonstrating the market is ready,” Jeremiah Grossman, the CEO of WhiteHat Security, who took on an advisory role to Bugcrowd along with the new funding.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags VC-backed BugcrowdBugcrowdencrypted datacrowdsourcing platformVC fundingCSO Australiaencrypting trafficFacebookGoogle’s ChromePinterestYahooGoogleHTTPStwitter

More about Barracuda NetworksCapital GroupCSOEnex TestLabFacebookGoogleTransportWestern UnionYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place