Adobe launches vulnerability disclosure scheme on HackerOne

Adobe, maker of software including Flash and Adobe reader, is catching up to the times and has launched a vulnerability disclosure program -- but something may be missing.
Written by Charlie Osborne, Contributing Writer
Adobe has launched a web application vulnerability disclosure program on HackerOne in an attempt to improve the security of its products.

In a blog post on Wednesday, the software giant said the vulnerability disclosure program, hosted on HackerOne, will allow developers to privately submit vulnerabilities to the company. While the web application vulnerability disclosure program does not offer monetary rewards, developers who choose to submit bugs will boost their HackerOne reputation score with each accepted flaw.

Pieter Ockers, Adobe's Security Program Manager of the firm's Product Security Incident Response Team said the project was launched "in recognition of the important role that independent security researchers play in keeping Adobe customers safe."

In the program's disclosure guidelines, Adobe says security vulnerability disclosure is limited to Adobe-owned products, and the company encourages developers to focus on particular flaws including cross-site scripting, server-side code execution, injections, authentication flaws and security misconfiguration. Unless evidence is provided demonstrating an exploit, low-severity cross-site request forgery, password reset issues, missing http security headers and cookie flags as well as clickjacking on static pages are excluded from the program.

To receive credit for disclosing a flaw, developers must be the first to report a vulnerability, and grant Adobe a "reasonable" amount of time to fix the issue before disclosing anything publicly.

See also: Bug bounties: 'Buy what you want'

While Adobe's requests for vulnerability disclosures in return for HackerOne points are a step in the right direction, financial rewards probably wouldn't go amiss -- as many other software companies have discovered.

In February, Microsoft awarded Hewlett-Packard security researchers a bug bounty reward of $125,000 after detecting and proposing a solution to a severe vulnerability surrounding the isolated Heap and MemoryProtection functions in the latest version of Microsoft Internet Explorer. However, social media website Facebook goes beyond these rewards -- having paid out $1.5 million in bug bounty rewards throughout 2013 and $1.3 million in 2014. The social network has paid out approximately $3 million since launching its bug bounty program in 2011.

Read on: In the world of security

Read on: Fixes and Flaws

Editorial standards