We have seen the rise of bug bounty programs in many large tech companies as a result of the growing threat landscape that, if unchecked, would bring tremendous damage to critical infrastructures and businesses.
Adobe is the newest to launch its own vulnerability disclosure program on the HackerOne platform. But unlike its peers, the company does not provide monetary incentives for researchers who would uncover flaws in the company’s products. This is in stark contrast with other companies like Google, which paid out $1.5 million to bug hunters in 2014 alone, and Facebook paid out $1.3 million for the thousands of submissions it received last year.
Furthermore, the scope of research covered in the program is limited only to Web applications, meaning that if a vulnerability is found in a certain Adobe product not specified within the program, it will be in vain. So if you found vulnerabilities in Adobe’s password reset, security headers, cookie flag, static pages and cross-site request forgery vulnerabilities, don’t bother reporting it to Adobe.
But Adobe still encourages researchers to submit vulnerabilities found in desktop applications such as Adobe Reader, Flash Player and Acrobat.
The only benefit that researchers can possibly gain from disclosing vulnerabilities in Adobe products is a boost to their score on HackerOne.
The vulnerability disclosure program is a vital step in Adobe’s Secure Product Lifecycle, which aims to test and invest in resources to evaluate products. This serves as a sort of consultation with the security research community at large. The value provided by the feedback from security researchers is indispensable, and Adobe must realize that a mere credit on the HackerOne platform might not be enough, unless some altruistic researchers are out there doing this job.
It can be recalled that security researchers started out with their vulnerability research being rewarded with a recognition in Microsoft’s bulletin during the early days. Times have changed, and with the exponential rise in threats, researchers need cash this time do continue doing their tasks.
At the very least Adobe can find ways to incentivize its vulnerability disclosure program. At worst, researchers might choose to sell the exploit to hackers in exchange for money. But in the first place, why would Adobe hesitate from paying security researchers when it has the resources?
One thing that many companies with bug bounty programs have in mind is to focus on removing security vulnerabilities as an entire class and not just a single fix that only leads to the birth of another vulnerability.