Glitches for desktop products are not eligible

Mar 5, 2015 09:04 GMT  ·  By

Security bugs discovered in web applications used by online services from Adobe can now be reported privately to the company through the freshly launched vulnerability disclosure program.

The submissions are handled through the HackerOne platform, which is the choice of many reputable organizations like Dropbox, Vimeo, Sucuri, Twitter, CloudFlare, Khan Academy, Yahoo!, OpenSSL, Python, PHP, Perl or Ruby.

Issues are validated by a PSIRT member

The list of glitches eligible for Adobe’s new project includes cross-site scripting (XSS), cross-site request forgery (CSRF) in a privileged context, server-side code execution, authentication or authorization flaws, injection vulnerabilities, directory traversal flaws and security mis-configuration faults.

Adobe says that a bug hunter is credited for their finding if they are the first to report it and does not make a public disclosure before allowing the developers sufficient time to solve the problem.

Upon reporting the weakness, it is required to provide clear instructions on how it can be reproduced. All submissions are checked by a member of PSIRT (Product Security Incident Response Team).

Adobe warns that its products intended for desktop use (Flash Player, Reader) do not make the object of this vulnerability disclosure program.

Cash rewards may not be given

It is unclear if financial rewards are available. In a short blog post published on Wednesday, PSIRT security program manager Pieter Ockers did not mention any money prizes and said that bug hunters have a chance to disclose the issues they find “while boosting their HackerOne reputation score.”

Most companies with a vulnerability reporting program pay for valid bugs that could jeopardize the security of their products.

The recent release of the stable version of Google Chrome 41 involved fixing a total of 51 security problems, some of them reported by external researchers; Google paid around $52,000 / €47,000 for their effort and private submission.

In 2014, Facebook paid $1.3 / €1.15 million for valid security notifications received from third parties. Google spent $1,5 / €1.35 million last year through its Vulnerability Reward Program.

This strategy has proved to be an efficient way to incentivize various security researchers to test the products and thus achieve the goal of offering better protection to the customers using them.