Update: Adobe is the latest tech vendor to begin a vulnerability disclosure program, but it seems they’re limping in at the outset.
The program launched this week on the HackerOne platform, but there are no cash incentives being offered and certain Adobe products are not in scope for researchers.
“Bug hunters who identify a Web application vulnerability in an Adobe online service or web property can now privately disclose the issue to Adobe while boosting their HackerOne reputation score,” said Pieter Ockers, Adobe security program manager, PSIRT.
Other successful bounty programs, whether privately managed or done through a platform such as HackerOne’s or Bugcrowd’s, have paid out significant rewards to researchers. Google, for example, recently announced that it paid out $1.5 million last year alone, while Facebook paid out $1.3 million and reported receiving more than 17,000 submissions to its program.
Adobe said its program is limited to vulnerabilities discovered in its Web applications; bugs in scope of the program include most of the most common web app ailments, including cross-site scripting, cross-site request forgery, server-side code execution, authentication flaws, injection vulnerabilities, directory traversal, information disclosure, or security misconfiguration or bypass flaws.
Out of scope are password reset issues, missing security headers, missing cookie flags, clickjacking bugs on static pages and low-severity cross-site request forgery vulnerabilities, Adobe said.
“To receive credit, you must be the first reporter of a vulnerability and provide us a reasonable amount of time to remediate before publicly disclosing,” Adobe said in explaining its guidelines. “When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.”
While desktop applications such as Adobe Reader, Acrobat and Flash Player, vulnerabilities for which have been used in a long line of targeted attacks, are out of bounds for this program, Adobe still hopes researchers will submit those to its incident response team. HackerOne, however, already runs Adobe Flash and Reader sandbox bounties that are not hosted by Adobe.
@Adobe will not offer cash incentives for its vulnerability disclosure program. via @ThreatpostTweet
“As a critical component of the Adobe Secure Product Lifecycle, we conduct extensive testing by investing significant resources internally and through consulting engagements with the security research community. We find immense value when researchers are able to conduct a full white box assessment with direct access to internal product engineers and materials,” Adobe said in a statement provided to Threatpost. “We continue to evaluate approaches that may be appropriate for our environment and acknowledge researchers, customers and partners who provide vulnerability reports in our security bulletins and through a variety of other means.”
During the recent Kaspersky Lab Security Analyst Summit, HackerOne chief policy officer Katie Moussouris, the architect of Microsoft’s coordinated disclosure program during her time in Redmond, said that for a long time researchers were content with acknowledgement in a Microsoft bulletin as compensation for their work. But with so many bounty programs operating successfully, and a thriving vulnerability broker economy shaking up the market, meager incentives such as recognition in “10-point font” as Moussouris recalls, may not be enough.
“Microsoft never wanted to pay for vulnerability information,” Moussouris said during her talk at SAS. “At the time, why should they since so many came for free?”
Moussouris advised companies thinking about a bounty to think strategically, focus on eliminating entire classes of security vulnerabilities versus one-off fixes, and offer incentives for researchers to build mitigations. Such incentive plans should help feed an enterprise software development lifecycle, she said.
This article was updated at 4 p.m. with comments from Adobe.