Sign up to our newsletter
Adobe, the company behind Flash, Photoshop and Adobe Reader, has launched a program encouraging security researchers to find and report possible vulnerabilities to the firm.
In a short blog post on Wednesday, Pierter Ockers, the security program manager at Adobe announced the move, saying, “Bug hunters who identify a web application vulnerability in an Adobe online service or web property can now privately disclose the issue to Adobe while boosting their HackerOne reputation score.”
Unlike companies such Facebook, Twitter, Microsoft and Google, Adobe will not be providing any cash incentives for reporting vulnerabilities, instead relying on HackerOne’s built in reputation score system. Introduced last October, PC World explains that this system was introduced to quickly rank researchers based on the quality and accuracy of their submissions. “This allows security response teams from companies that use the platform to more easily discover reports that are likely to be valid.”
The program’s disclosure guidelines explain that submissions are for Adobe owned products only, and that they are looking for cross-site scripting, server-side code execution, injections, authentication flaws and security misconfiguration. Password reset flaws, missing security headers, cookie flags and low-severity cross-site request forgery are omitted from the program, unless evidence is provided demonstrating the exploit.
Credit it only given to the first to find the flaw, and only if they give Adobe a “reasonable” amount of time to fix the issue before going public, ZDNet reports.
Whether or not Adobe will attract many submissions without the incentive of financial rewards remains to be seen, but others have managed to patch plenty of potential exploits with paid ‘bug bounties’. In February, we reported that since 2010 Google has paid over $4,000,000 in rewards, while Facebook paid out $1,300,000 in 2014 alone.
Author Alan Martin, ESET