Adobe has taken the unusual step of launching a web app vulnerability program without offering researchers any cash reward for their findings.
Pieter Ockers, security program manager for the firm’s Product Security Incident Response Team (PSIRT), revealed that the web application vulnerability disclosure program would be made available via the third party HackerOne platform.
“Bug hunters who identify a web application vulnerability in an Adobe online service or web property can now privately disclose the issue to Adobe while boosting their HackerOne reputation score,” he added.
“We invite security researchers to view the disclosure guidelines available here.”
As the name suggests, the program only covers Adobe’s web-based products, so researchers who find problems in the firm’s desktop and enterprise on-premise solutions must still email PSIRT directly.
Eligible vulnerabilities include cross-site scripting, server-side code execution, authentication or authorization flaws, injection vulnerabilities, directory traversal, information disclosure and significant security misconfiguration.
“To receive credit, you must be the first reporter of a vulnerability and provide us a reasonable amount of time to remediate before publicly disclosing,” Adobe’s HackerOne page notes. “When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.”
The lack of any financial incentive is an odd move by Adobe, given the sizeable sums offered by other firms.
Google recently spent $80,000 on bug bounty payments to researchers who exposed flaws in Chrome, contributing to version 40 of the popular browser.
Developer platform GitHub has also got in on the act, recently raising its maximum reward from $5000 to $10,000 in a bid to attract more researchers.
Gavin Millard, EMEA technical director at Tenable Network Security, welcomed the program as providing a dedicated contact point for researchers keen to disclose discovered issues responsibly.
“Will the newly announced Adobe Web Services bug bounty fail due to the lack of a cash incentive? Probably not, but it will definitely be less of a focus for proactive research,” he told Infosecurity.
“Adobe already has a very successful bug bounty program for Flash that’s paid out roughly $100K since its inception last year so it’ll be interesting to see if the new program gets comparable attention.”
Eset security specialist Mark James described the new program diplomatically as an "interesting approach" for Adobe to take.
"Money talks the loudest of course but it is not the only reason we do things," he told Infosecurity by email.
"It’s good to see more and more companies taking an active role in getting their software fixed and the more companies that embrace the wealth of experience and knowledge available through bounties (either financial or fame) will only help protect us in the long run.”