It all started by auditing Pornhub, then PHP and ended in breaking both… tl;dr: We have gained remote code execution on pornhub.com and have earned a $20,000 bug bounty on Hackerone. We have found two use-after-free vulnerabilities in PHP’s garbage collection algorithm. Those vulnerabilities were remotely exploitable over PHP’s unserialize function. We were also awarded with $2,000 by the Internet
![How we broke PHP, hacked Pornhub and earned $20,000 | Bug Bounties - Evonide](https://cdn-ak-scissors.b.st-hatena.com/image/square/2f3d57d2ac3ca3be47a490d0e5787dbea232cd71/height=288;version=1;width=512/https%3A%2F%2Fwww.evonide.com%2Fwp-content%2Fuploads%2F2016%2F06%2Fzval-attack-1024x254.jpg)