Adobe Launches 'Fame Only' Bug Bounty Program

Adobe Launches 'Fame Only' Bug Bounty Program

Software giant Adobe launched a bug bounty program that promises public recognition (not cash) for finding and reporting vulnerabilities in the company’s websites and other online services.

Pieter Ockers, the security program manager at Adobe said in a blog post, "Bug hunters who identify a web application vulnerability in an Adobe online service or web property can now privately disclose the issue to Adobe while boosting their HackerOne reputation score."

HackerOne is an online platform that allows companies to receive bug reports from security researchers without having their own custom bug reporting platform.

According to adobe's bug bounty disclosure guidelines, the eligible vulnerabilities are, Cross-site scripting, Cross-site request forgery in a privileged context, Server-side code execution, Authentication or authorization flaws, Injection Vulnerabilities, Directory Traversal, Information Disclosure, Significant Security Misconfiguration.

In order to receive the credit, the researcher must be the first reporter of a vulnerability and provide adobe a reasonable amount of time to remediate before publicly disclosing.

There are some bugs excluded from the bug bounty program: Logout and other instances of low-severity cross-site request forgery, Perceived issues with password reset links, Missing http security headers, Missing cookie flags on non-sensitive cookies and Click-jacking on static pages. 

No comments

Powered by Blogger.