In a bid to improve the security of its products, Adobe launched yesterday a web application vulnerability disclosure program for the security researchers. The program was launched on the HackerOne platform encouraging security researchers to report security vulnerabilities in web applications held by Adobe.
Adobe Vulnerability Disclosure Program
Announcing the big bounty program on HackerOne, Adobe said that this program will allow researchers to privately submit the vulnerabilities to Adobe directly.
Adobe finally has joined other Software Giant footsteps like Microsoft, Mozilla, PayPal, Facebook, and others software companies who have been traditionally sponsoring several bug bounty programs and received huge success in fixing high-severity vulnerabilities.
Peter Ockers, Adobe’s Security Program Manager, PSIRT, mentioned on the company blog,
“In recognition of the important role that independent security researchers play in keeping Adobe customers safe, today Adobe launches a web application vulnerability disclosure program on the HackerOne platform. Bug hunters who identify a web application vulnerability in an Adobe online service or web property can now privately disclose the issue to Adobe while boosting their HackerOne reputation score”.
Talking of the bug bounty’s disclosure guidelines, Adobe said that the program is limited to security vulnerabilities in web applications that are owned by Adobe. Researchers would have to look for the vulnerabilities affecting Adobe desktop products such as Flash Player, Adobe Reader, or enterprise on-premise solutions. Also the issue should be reported via email to the Product Security Incident Response Team.
The Eligible web application vulnerabilities that could be taken up are as follows,
- Cross-site scripting
- Cross-site request forgery in a privileged context
- Server-side code execution
- Authentication or authorization flaws
- Injection Vulnerabilities
- Directory Traversal
- Information Disclosure
- Significant Security Misconfiguration
As a reward for reporting bugs, developers would get will boost in their HackerOne reputation score with each legitimate reporting. However, this may not be a huge motivating factor considering the trend where software companies reward developers with huge financial benefits on reporting a vulnerability.