Pornhub have active bug bounties. In general you have to sign up to abide by the rules, which generally say how far you can take an exploit, ie prove it works but don't fuck with the actual data just to show you can. Your exploit would show that you could and that's what they want you to do.
To what extent? What if you do something on accident that ends up messing up their stuff? Just the first example I can think of: you figure out a way to reboot an instance which lets you exploit a race condition in some auth code, and don't realize that the instance you're killing is critical for some other function (let's say billing) and you end up causing some real monetary damage, even though you had no idea.
Two words -- honor code. Rock the boat and you will find yourself in an unpleasant situation, so instead everybody does good work and nobody asks too many questions.
Honor codes for stuff that traditionally involve corporations going after individuals for criminal charges. I feel that's a bit of a crazy proposition.
When people say "honor code" around me, it usually means, "Do something honorable, even though it's against your self interest."
For both white hats and Pornhub, the legal/authorized bounty system is in their interest. White hats are making less money than some black hats, but they're not constantly terrified of being prosecuted under intense anti-hacking laws. Pornhub is spending a lot less than they would if they were hacked by black hats. Both parties win.
ehhhhh, a real answer here dictates whether I sign up to hackerone on TOR and request bitcoin payouts, or if I do it on clearnet, fill out 1099s with my real/entity name, and link my bank accounts