Adobe launches vulnerability disclosure scheme on HackerOne
In a blog post on Wednesday, the software giant said the vulnerability disclosure program, hosted on HackerOne, will allow developers to privately submit vulnerabilities to the company. While the web application vulnerability disclosure program does not offer monetary rewards, developers who choose to submit bugs will boost their HackerOne reputation score with each accepted flaw.
Pieter Ockers, Adobe's Security Program Manager of the firm's Product Security Incident Response Team said the project was launched "in recognition of the important role that independent security researchers play in keeping Adobe customers safe."
Featured
In the program's disclosure guidelines, Adobe says security vulnerability disclosure is limited to Adobe-owned products, and the company encourages developers to focus on particular flaws including cross-site scripting, server-side code execution, injections, authentication flaws and security misconfiguration. Unless evidence is provided demonstrating an exploit, low-severity cross-site request forgery, password reset issues, missing http security headers and cookie flags as well as clickjacking on static pages are excluded from the program.
To receive credit for disclosing a flaw, developers must be the first to report a vulnerability, and grant Adobe a "reasonable" amount of time to fix the issue before disclosing anything publicly.
See also: Bug bounties: 'Buy what you want'
While Adobe's requests for vulnerability disclosures in return for HackerOne points are a step in the right direction, financial rewards probably wouldn't go amiss -- as many other software companies have discovered.
In February, Microsoft awarded Hewlett-Packard security researchers a bug bounty reward of $125,000 after detecting and proposing a solution to a severe vulnerability surrounding the isolated Heap and MemoryProtection functions in the latest version of Microsoft Internet Explorer. However, social media website Facebook goes beyond these rewards -- having paid out $1.5 million in bug bounty rewards throughout 2013 and $1.3 million in 2014. The social network has paid out approximately $3 million since launching its bug bounty program in 2011.
Read on: In the world of security
- Anonymous targets ISIS social media, recruitment drives in #OpISIS campaign
- Poor security left Anthem customer records exposed
- Verizon rushes fix for email account open season security flaw
- Sony executive Amy Pascal steps down following cyberattack, email exposure
- Facebook funds GNU Privacy Guard development
Read on: Fixes and Flaws