Adobe is launching a new web application vulnerability disclosure program.
Eager security researchers need not get overly excited about bagging a bumper pay day though – unlike Facebook, Twitter, Google, Mozilla and others, Adobe has decided to offer reputational rather than financial incentives in return for valid submissions.
In a blog post written Wednesday, Pieter Ockers Security Program Manager, PSIRT, said:
In recognition of the important role that independent security researchers play in keeping Adobe customers safe, today Adobe launches a web application vulnerability disclosure program on the HackerOne platform. Bug hunters who identify a web application vulnerability in an Adobe online service or web property can now privately disclose the issue to Adobe while boosting their HackerOne reputation score.
Adobe’s new program has been released on HackerOne, an online platform used by many tech firms including Dropbox, Twitter, Yahoo and, as of this week, AirBnB, to receive and manage vulnerability reports.
Many of the firms that use HackerOne in preference to their own systems offer cash bounties as a reward but, since October, the service has offered a new feature that provides a reputational ranking to registered users, based on the nature and accuracy of the reports they submit.
The intention of such a system is to allow response teams to assess and prioritise submissions based on the reputation of the researcher and the usefulness of their previous disclosures.
Adobe offers detailed information about its new program within its disclosure guidance notes, saying that it is limited to Adobe-owned products but does not cover Flash or Adobe Reader.
The disclosure guidelines note that credit will only be given to the first person to report any given vulnerability and that Adobe must be given a “reasonable amount of time” to fix the flaw before the researcher goes public with their findings.
While Adobe’s decision to launch a bug bounty program is definitely a step in the right direction, many readers may question why no cash rewards are on offer.
The cynical among you may even suggest that Adobe’s arguably poor record, including a massive data breach in 2013, and a large number of other historical issues, could have scared the money men away from such a program.
They EXCLUDE their two must bug-riddled and abused products, Flash and Reader? That is ridiculous.
Those reputation points cost them bank. They’d go morally bankrupt if they included Flash and Reader. Oh wait….
Best joke I’ve heard all week. Can’t wait to see what you post on April 1, Lee.
OK, so let me see if I understand this:
This is the company behind one of the largest breaches of security in history (measured by “highest number of compromised accounts”).
They’re also the company that, after allowing 150,000,000 accounts and passwords get into the wild, immediately followed up by demanding that all their customers going forward upgrade to Creative Suite Cloud, thus forcing their customers to fully trust their security.
And, this is on top of having arguably the number 2 and 3 buggiest software packages on the planet excluded from the bug catcher program.
AND, they’re not going to pay hackers, thus creating a huge incentive to NOT report issues.
I agree with Mr. Marks: Best joke I’ve heard in a long time.