Alright you code bounty hunters. Adobe is looking to join the bug hunting game just like many other large companies. They've recognized the limitations of only having their internal engineers looking at their code and are thus opening it to the rest of the world to take a peak.
Adobe is launching a vulnerability hunting program, with no monetary reward, on the HackerOne platform.
Joining the ranks of Dropbox, Twitter, Yahoo, Google, Facebook, Mozilla and many others, Adobe is set to allow access to the source code of web applications and other applications on the HackerOne community so that the hunt for vulnerabilities may commence.
The problem, however, is that unlike most other tech firms, Adobe isn't offering a monetary prize for any discoveries, but instead will reward points that directly effect your "reputation" score on the HackerOne platform.
"In recognition of the important role that independent security researchers play in keeping Adobe customers safe, today Adobe launches a web application vulnerability disclosure program on the HackerOne platform. Bug hunters who identify a web application vulnerability in an Adobe online service or web property can now privately disclose the issue to Adobe while boosting their HackerOne reputation score."
The reputation system is apparently new at HackerOne, but does indeed offer real benefits that surround your abilities and knowledge. The points can help vouch for you, so to speak, during other bug hunting missions you may choose. The idea being that ones reputation can help to discern the strongest of reports to focus on, as at times there is an influx of less confident reports that likely won't resolve any issue. You only gain reputation points, losing them if what you've turned in isn't applicable or if it needs more info. This can help identify the best players and also encourage those that aren't working up to part to really engage themselves.
The thing is, however, that it isn't a reward system in and of itself. It's not a replacement for the monetary bounty system used by many of the companies. Companies can choose to give reputation points out in addition to money. Adobe's approach, then, seems a bit odd, if a bit underwhelming. If you truly want a larger community to participate, then even small rewards in addition to reputation points might have a greater affect overall.
Adobe will also publicly thank you on their HackerOne site. It doesn't sound lucrative nor worth it, at first glance, and the benefits may not be immediately apparent, but they are there. You'll also get to help close some very glaring security vulnerabilities in the process as well. That has to count for something, right? That warm and fuzzy feeling of doing something good for its own sake?
Regardless of their motivations and the perceived substandard reward for the work done, it's a step in the right direction for a company whose software has traditionally been targeted very keenly for quite some time. This may actually lead to Flash being a viable option due to far less vulnerabilities, or vulnerabilities that are caught very early on. It's important to note, though, that web platform API's themselves are not part of the HackerOne program, though links to report vulnerabilities are given on the Adobe HackerOne site. This applies only to downloadable programs as per the Adobe HackerOne site.
HackerOne is a platform for which companies can offer their source code to be looked at for vulnerabilities and exploits in exchange for something. They have standards in place for how to report vulnerabilities as well as what the companies response should be, by using their service.
To ensure security of source code, as much as is possible, one must sign up for the program in order to participate with some challenges in order to verify identity. Also, of course everything is encrypted to and from the site. They use ISO 29147 to guide how to disclose and ISO 30111 to provide guidance on how to handle any vulnerabilities. They seem to take this stuff quite seriously, and have thus far been successful in their endeavors with USD 2.21 Million having been paid out for identifying 7,053 bugs that were fixed.
Anyway, so far, as of March 3rd 2015 there have been 10 bugs closed and 7 hackers thanked. That's not a bad start, and can only become even better from here.
I applaud them on their decision to at least recognized the value of the independent IT security world. The longest and most difficult journeys do indeed start with a single step.
If you are a programmer of some sort and love getting dirty with code, then by all means, head on over to HackerOne to start hunting for the bad guys err... for the bad code.
