5640 policies in database
Link to program      
Pornhub logo


50 $ 


Security is a top priority at Pornhub. We love to work with skilled security researchers to improve the security of our service. If you believe you've found a security bug in the services listed in our scope, we will be happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.


At this time, the scope of this program is limited to security vulnerabilities found on the Pornhub and Pornhub Premium websites as well as in the Pornhub Mobile application. Vulnerabilities reported on other properties or applications are currently not eligible for monetary reward. High impact vulnerabilities outside of this scope might be considered on a case by case basis.

In-Scope Sub-Domains:


Out-of-Scope Sub-Domains:

https://cms.pornhub.com/ (as of May 25th)

For all the programs CMS applications will be out of scope [not rewarded].

For account access issues or visual layout and website functionality (QA) bugs, please work with our Customer Support which will resolve those issues independently.

Contacting our support team about; the status of a HackerOne report or the decision of which your report was concluded, will result in an immediate disqualification from receiving a reward. All communications must be conducted through the HackerOne's communication system only.


You will qualify for a reward only if you are the first person to responsibly disclose an unknown issue. The Pornhub security team has up to 48 hours to first respond, up to 15 days to triage and reward the report, and up to 90 days to implement a fix based on the severity of the report.

Please allow for this process to fully complete before attempting to contact us again. Note that posting details or conversations about the report or posting details that reflect negatively on the program and the Pornhub brand will result in immediate removal from the program.

  • Any vulnerability found must be reported no later than 24 hours after discovery.
  • You are not allowed to disclose details about the vulnerability anywhere else.
  • You must avoid tests that could cause degradation or interruption of our services.
  • You must not access, leak, manipulate, or destroy any user data.
  • You are only allowed perform tests against accounts you own yourself.
  • The use of automated tools or scripted testing is not allowed. This includes vulnerability scanning tools such as OWASP ZAP and Vega, or any tools or scripts which may result in heavy traffic or flooding of any of our services.
  • To obtain any type of verified account on Pornhub your user's account must be created using the HackerOne alias email 'username@wearehackerone.com'.


To qualify for a reward under this program, you should:

  • Be the first to report a vulnerability.
  • Send a clear textual description of the report along with steps to reproduce the vulnerability (PoC).
  • Include attachments such as screenshots or proof of concept code as necessary.
  • Disclose the vulnerability report directly and exclusively to us.

Pornhub may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $50 USD, and our maximum reward amount is $25,000 USD.
*Reward amounts may vary depending upon the severity of the vulnerability reported. *

Swag may be awarded as a bonus to qualifying, in-scope reports. We allow one swag item per researcher. We will not respond to repeated requests to be awarded swag under any circumstances.

The following table is a reference for the average rewards of specific classes of vulnerabilities. Rewards are calculated based on the severity and impact.

Vulnerability Types | Core Pornhub * | All Other
Remote Shell / Command Execution | $15,000 | $5,000
Remote Code Execution | $10,000 | $2,500
SQL Injection (with output) | $5,000 | $2,500
Significant Authentication Bypass | $5,000 | $1,000
Local file Inclusion | $2,500 | $1,000
SQL Injection (blind) | $2,500 | $1,000
Insecure Direct Object References | $1,500 | $750
Server Side Request Forgery | $1,500 | $750
Stored Cross Site Scripting | $1,500 | $500
Other Cross Site Scripting | $250 | $50

* Core Pornhub covers www.pornhub.com and www.pornhubpremium.com as well as the official Pornhub mobile application. It does not include any other domains, sub-domains, or services, including any Pornhub blogs such as Blog or Support systems.

Pornhub reserves the right to decide if the minimum severity threshold is met and whether the report was previously reported. Rewards are granted entirely at the discretion of Pornhub.

A good bug report should include the following information at a minimum:

  • List the URL and any affected parameters
  • Describe the browser, OS, and/or app version
  • Describe the perceived impact. How could the bug potentially be exploited?

Exceptions & Rules

Our bug bounty program is limited strictly to technical security vulnerabilities of Pornhub services listed in the scope. Any activity that would disrupt, damage or adversely affect any third-party data or account is not allowed.

Please do not mass create accounts to perform testing against Pornhub applications and services. Also do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.

HackerOne Vulnerability Disclosure

In order for your report to be eligible for disclosure within HackerOne it should go through the Triage and Resolution steps. Any attempts to disclose unresolved, Informative or Duplicate reports will be rejected.

The following are strictly prohibited:

  • Denial of Service attacks.
  • Physical attacks against offices and data centers.
  • Social engineering of our service desk, employees or contractors.
  • Compromise of a Pornhub user's or employee's account.
  • Automated tools or scans, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic.

Additionally, the following vulnerabilities will not be considered for bounty:

  • Cross site request forgery (CSRF)
  • Cross domain leakage
  • Information disclosure
  • Information leakage, data cached in search engines or the web archive
  • Software version disclosure
  • Self-XSS and XSS without impact
  • Missing SPF or DMARC records
  • HttpOnly, SameSite and Secure cookie flags
  • SSL/TLS related (such as HSTS, GET over HTTP, Password sent in HTTP)
  • Password and account recovery policies
  • Session timeout
  • Session Hijacking (cookie reuse)
  • Missing X-Frame or X-Content headers
  • Account enumeration
  • Click-jacking
  • Rate-limiting
  • Downloading video
  • Confirmation Email (anything related with)

Legal Notes:

You must be at least 18 years old to participate in our Bug bounty Program.

Payments are made through HackerOne only. You are responsible for paying any taxes associated with rewards.

Employees of the Company, its affiliates, subsidiaries, agencies and divisions, partners, and their respective employees and immediate family members can responsibly disclose vulnerabilities by participating in our Bug Bounty Program but are not eligible for monetary rewards. The term “immediate family” includes spouses, siblings, parents, children, grandparents, and grandchildren, whether as “in-laws,” or by current or past marriages(s), remarriage(s), adoption, co-habitation or other family extension, and any other persons residing at the same household whether or not related.

We reserve the right to modify the terms of this program or terminate this program at any time. By participating in this program, you agree to be bound by these rules. You must comply with all applicable laws in connection with your participation in this program.

Thank you for helping keep Pornhub safe!

In Scope

Scope Type Scope Name










Firebounty have crawled on 2016-05-10 the program Pornhub on the platform Hackerone.

FireBounty © 2015-2020

Legal notices