Adobe Creates Web Flaw Reporting Program, Sans Bounty

The software maker adds disclosure guidelines for bugs found on its Web properties, but the company—bucking the trend—does not offer a bounty.

Adobe bug reporting

Software maker Adobe launched a Web application vulnerability disclosure program, inviting security researchers to submit bugs found in its Web properties, but has declined to pay out rewards for high-severity bugs.

The program, announced on March 4, gives researchers guidelines for testing Adobe properties and highlights eight categories of Web application weaknesses on which bug hunters should focus, such as cross-site scripting, cross-site request forgery in a privileged context, and injection vulnerabilities. The only reward for the researchers, however, is the ability to boost their credibility score on the vulnerability-management service HackerOne, Pieter Ockers, security program manager for Adobe's Product Security Incident Response Team (PSIRT), said in a statement.

"Bug hunters who identify a Web application vulnerability in an Adobe online service or Web property can now privately disclose the issue to Adobe while boosting their HackerOne reputation score," he said.

Software and online service firms are increasingly adopting vulnerability-disclosure programs, usually offering researchers who find and disclose bugs some reward. Software developers such as Google's Chromium project, Mozilla, and even Microsoft offer significant cash bounties for finding vulnerabilities in their products. Many more Web services—including Facebook, Etsy, Coinbase and Blogger, to name a few—have also created bug-bounty programs, according to BugCrowd, a vulnerability management and assessment service.

So far, Adobe has resisted the call for software firms to pay for bugs, declining to provide remuneration to third-party researchers for vulnerabilities found in either its products or its Web services. Instead, the company focuses on its software development lifecycle and third-party assessments, a company spokesperson stated in response to queries from eWEEK.

"We conduct extensive testing by investing significant resources internally and through consulting engagements with the security research community," the spokesperson said. "We find immense value when researchers are able to conduct a full white box assessment with direct access to internal product engineers and materials."

Vulnerability reporting and management platforms, such as HackerOne and BugCrowd, are used to handle bug reports, triage the issues and track progress. Such services are a step up from companies that handle vulnerabilities through an ad-hoc system based on "a messy shared email box" and a spreadsheet, said Katie Moussouris, chief policy officer for HackerOne.

Each company must decide for themselves whether to create a bounty program, but many firms first adopt the infrastructure to handle bug reporting and later move to paying for vulnerabilities, she said.

"Since there is no such thing as a one-size-fits all bounty program, it is common for organizations to start with migrating their [vulnerability] coordination" first, she said. "By doing so, they are letting hackers build their reputation scores, which in turn allows top researchers to receive exclusive invitations to participate in bounty programs not open to the general public."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...