Adobe launches cashless bug bounty
If you had as many bugs as Adobe, would you offer cash?
Adobe has launched a bug bounty program that hands out high-fives, not cash.
The web application vulnerability disclosure program announced today and launched last month operates through HackerOne used by the likes of Twitter, Yahoo!, and CloudFlare, some of which provide cash or other rewards to those who disclose security messes.
Adobe's program seeks out common flaws in its online services, including cross-site scripting; privileged cross-site request forgery; server-side code execution; authentication or authorisation flaws; injection vulnerabilities; directory traversal; information disclosure, and significant security misconfiguration.
"In recognition of the important role that independent security researchers play in keeping Adobe customers safe, today Adobe launches a web application vulnerability disclosure program on the HackerOne platform," wrote Adobe security program manager Pieters Ockers.
"Bug hunters who identify a web application vulnerability in an Adobe online service or web property can now privately disclose the issue to Adobe while boosting their HackerOne reputation score."
Hackers will need to be the first in for reporting a flaw and offer Adobe "reasonable" time to fix the flaws prior to public disclosure, Ockers says.
Smaller vulnerabilities such as the following are excluded:
- Logout and other instances of low-severity cross-site request forgery
- Perceived issues with password reset links
- Missing http security headers
- Missing cookie flags on non-sensitive cookies
- Clickjacking on static pages
The announcement comes as AirBnB this week launched its bug bounty on the popular HackerOne platform.
Bug bounties work best when they offer cash, according to BugCrowd engineer Drew Sing. In vulnerability program guidelines published July he says money is the best incentive to encourage researchers to conduct more regular and intense testing of products and services.
"A high priority security issue handled improperly could damage the reputation of the organisation ... the development, IT and communications team are all critical components to a successful program," Sing says.
The managed bug service recommends bounties should be published in an obvious location on websites, preferably located with the /security subdomain, and sport a dedicated security contact who is well-briefed in handling disclosures.
So why has Adobe decided street cred, not cash, is the way to go? Wags might wonder if the company's infamously-porous products have so many bugs that a cash bounty could dent the bottom line. ®
Sponsored: Becoming a Pragmatic Security Leader