Adobe Creates Web Flaw Reporting Program, Sans Bounty
The software maker adds disclosure guidelines for bugs found on its Web properties, but the company—bucking the trend—does not offer a bounty.Software maker Adobe launched a Web application vulnerability disclosure program, inviting security researchers to submit bugs found in its Web properties, but has declined to pay out rewards for high-severity bugs. The program, announced on March 4, gives researchers guidelines for testing Adobe properties and highlights eight categories of Web application weaknesses on which bug hunters should focus, such as cross-site scripting, cross-site request forgery in a privileged context, and injection vulnerabilities. The only reward for the researchers, however, is the ability to boost their credibility score on the vulnerability-management service HackerOne, Pieter Ockers, security program manager for Adobe's Product Security Incident Response Team (PSIRT), said in a statement. "Bug hunters who identify a Web application vulnerability in an Adobe online service or Web property can now privately disclose the issue to Adobe while boosting their HackerOne reputation score," he said. Software and online service firms are increasingly adopting vulnerability-disclosure programs, usually offering researchers who find and disclose bugs some reward. Software developers such as Google's Chromium project, Mozilla, and even Microsoft offer significant cash bounties for finding vulnerabilities in their products. Many more Web services—including Facebook, Etsy, Coinbase and Blogger, to name a few—have also created bug-bounty programs, according to BugCrowd, a vulnerability management and assessment service.
So far, Adobe has resisted the call for software firms to pay for bugs, declining to provide remuneration to third-party researchers for vulnerabilities found in either its products or its Web services. Instead, the company focuses on its software development lifecycle and third-party assessments, a company spokesperson stated in response to queries from eWEEK.