Adobe launches bug disclosure program, skimps on bounties
Adobe has launched its own web application vulnerability disclosure program.
Set up through the bug bounty platform HackerOne, the program is limited to vulnerabilities affecting Adobe online services or its web properties.
Adobe is looking for the following types of flaws: Cross-site scripting, cross-site request forgery in a privileged context, server-side code execution, authentication or authorization flaws, injection vulnerabilities, directory traversal, information disclosure, and significant security misconfiguration.
Spam, social engineering or denial of service issues are out of bounds, and so are a series of low-severity issues like missing cookie flags on non-sensitive cookies or perceived issues with password reset links – unless the submitter can prove they are actually exploitable.
According to Adobe, one of the conditions for receiving credit for finding a bug is to provide the company “a reasonable amount of time to remediate before publicly disclosing,” but they haven’t said how long this grace period actually should be.
Bug hunters will, unfortunately, not be receiving any monetary reward for successful submissions. They will only be publicly thanked and they will boost their their HackerOne reputation score.
“All vulnerabilities affecting Adobe desktop products (ex. Flash Player and Adobe Reader), or enterprise on-premise solutions should be reported via email to the Product Security Incident Response Team [PSIRT@adobe.com],” the company made sure to add.