Adobe opens bug reporting program, but don't report Flash and don't expect cash

Adobe has joined a bug disclosure program that invites researchers to report new flaws in its web applications. What can hackers expect for their work? Not a cash bounty.

While offering up cash for bugs might seem par for the course among big software companies today, Adobe has always been in the Hall of Fame camp. It offers recognition to researchers who find bugs in its products like Adobe Flash, Reader and ColdFusion but no cash.

It's adopting the same principle for a new new vulnerability disclosure program on HackerOne, one of the third-party bug disclosure programs that others like Twitter, Yahoo, Coinbase and CloudFlare have joined.

"Bug hunters who identify a web application vulnerability in an Adobe online service or web property can now privately disclose the issue to Adobe while boosting their HackerOne reputation score," Adobe said in a blog post today.

Companies offer a range of rewards through HackerOne to researchers who find qualifying bugs. CloudFlare for example doesn’t offer cash, but offers a reputation boost, a CloudFlare bug hunter t-shirt and service rewards. Others offer cash rewards.

Adobe only provides recognition to researchers, helping boost their reputation on HackerOne.

Also, Adobe’s program is limited to web applications and excludes the two products that hackers target the most — Adobe Flash Player and Adobe Reader and Acrobat.

Web application bugs that are in scope include cross-site scripting; cross-site request forgery in a privileged context; server-side code execution; authentication or authorization flaws; injection vulnerabilities; directory traversal; information disclosure; and significant security misconfigurations.

There is a bounty through HackerOne of $2,000 or more for bugs in Flash Player, however that's run under The Internet Bug Bounty, a program sponsored by Facebook and Microsoft that was first launched in 2013.

That program offers bounties for key web technologies like OpenSSL, Nginx, Python, Ruby on Rails, Perl, Django Ruby and others. Adobe’s lead security strategist Peleus Uhley is on the panel that selects bugs that qualify for payment.

Casey Ellis, CEO and co-founder of BugCrowd, said the risk of some bug public reporting programs is that they tend to attract "noise". The bigger the brand name, the more potential junk reports come in and that has a cost to the software maker.

“The danger of noise is that it fatigues the responding team, which means they miss things. We remove the noise through the platform itself and with our in-house team,” Ellis told CSO Australia.

For that reason, Adobe’s decision not to venture into the full bug bounty camp may be wise.

“Cash improves better depth of testing, but also has the effect of increasing the noise,” said Ellis.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Upcoming IT Security Events

Last chance March 9th 2015

Join CSO for the day@#csoperspectives and hear from @kimzetter @LeviathanSec

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)