After having described the various mistakes that allowed the intruder to obtain and leak information about 4chan users, as well as moderator names and IP addresses, Poole added that they have patched the vulnerability that made the attack possible, and have spent two weeks reviewing their code and servers "to apply fixes and make improvements where possible."
The attacker also managed to compromise Poole's AWS account, and create an admin account, which allowed him to spin up a hundred extra-large instances, likely for Bitcoin mining.
"There’s no silver bullet when it comes to security, and the only way to stay ahead of it is constant vigilance," he noted in a blog post. "Don’t rely on any one method to protect your service, assume the methods you already have in place don’t work, adhere to best practices, and make it a point to revisit security on a regular basis—not just when something goes terribly wrong."
To that end, they have started the bug bounty program, which will include vulnerabilities and bugs in websites and services operated by 4chan (chan.org, 4channel.org, 4cdn.org, and their subdomains).
Researchers are urged to test both for hardware and software flaws, but are warned not to submit vulnerabilities reported by automated vulnerability scanning tools, unless they have a working PoC or reason to believe that the issue is exploitable. They are also told that 4chan users, volunteers, customers, and employees are not to be targeted (both physically or via social engineering).
"We will investigate all legitimate reports and do our best to quickly fix the problem," Poole announced. Less then 24 hours since the program has been launched, a bug has already been submitted and resolved by the team.
As far as the bounties are concerned, they are largely symbolical: an inclusion into the 4chan Hall of Fame, and either $20 in self-serve advertising credit valid for one year, or a 4chan Pass valid for one year.
Now it only remains to be seen if these incentives will be enough.