Adobe launches bountyless bug hunt program on HackerOne

Adobe launches bountyless bug hunt program

AdobeAdobe is launching a new web application vulnerability disclosure program.

Eager security researchers need not get overly excited about bagging a bumper pay day though – unlike Facebook, Twitter, Google, Mozilla and others, Adobe has decided to offer reputational rather than financial incentives in return for valid submissions.

In a blog post written Wednesday, Pieter Ockers Security Program Manager, PSIRT, said:

In recognition of the important role that independent security researchers play in keeping Adobe customers safe, today Adobe launches a web application vulnerability disclosure program on the HackerOne platform. Bug hunters who identify a web application vulnerability in an Adobe online service or web property can now privately disclose the issue to Adobe while boosting their HackerOne reputation score.

Adobe’s new program has been released on HackerOne, an online platform used by many tech firms including Dropbox, Twitter, Yahoo and, as of this week, AirBnB, to receive and manage vulnerability reports.

Many of the firms that use HackerOne in preference to their own systems offer cash bounties as a reward but, since October, the service has offered a new feature that provides a reputational ranking to registered users, based on the nature and accuracy of the reports they submit.

The intention of such a system is to allow response teams to assess and prioritise submissions based on the reputation of the researcher and the usefulness of their previous disclosures.

Adobe offers detailed information about its new program within its disclosure guidance notes, saying that it is limited to Adobe-owned products but does not cover Flash or Adobe Reader.

The disclosure guidelines note that credit will only be given to the first person to report any given vulnerability and that Adobe must be given a “reasonable amount of time” to fix the flaw before the researcher goes public with their findings.

While Adobe’s decision to launch a bug bounty program is definitely a step in the right direction, many readers may question why no cash rewards are on offer.

The cynical among you may even suggest that Adobe’s arguably poor record, including a massive data breach in 2013, and a large number of other historical issues, could have scared the money men away from such a program.