Adobe Recap: 2023 Ambassador World Cup Final Four | by Chris Parkerson | Dec, 2023

Author: Daniel Ventura, Manager, Product Security Incident Response Team (PSIRT) and Bug Bounty Program

Adobe has long focused on establishing a strong foundation of cybersecurity, built on a culture of collaboration, enabled by talented professionals, strong partnerships, leading edge capabilities, and deep engineering prowess. We have been an active participant in the security community for many years, engaging with partners, standards organizations, and security researchers to collectively enhance the security of our products.

We recognize the security community as a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. Adobe’s Vulnerability Disclosure Program (VDP) and Bug Bounty Program leverage the large community of hackers to collaborate and strengthen protections for Adobe products. Additionally, we work with external security researchers through our private Bug Bounty Program, Adobe-VIP, to responsibly disclose vulnerabilities found in our products.

Last month, Adobe participated in the Final Round of the 2023 Ambassador World Cup (AWC). This live hacking event, hosted by HackerOne, consists of an eight-month-long, competition-driven way to build community engagement, collaboration, and ambassador brand awareness throughout the hacker community. The AWC, led by HackerOne Brand Ambassadors, allows teams of hackers worldwide to identify impactful vulnerabilities in participating customer programs, including this year’s participants Adobe, A.S. Watson, Epic Games, Mercado Libre, MetaMask, OpenSea, Shopify, Stripe, TikTok, Tinder, and Yahoo.

In each round, participating customer programs receive an increase in new, fresh hacker engagement to drive high-signal traffic to the program’s approved scope. The benefits include dedicated focus on programs from the best hackers in the world, designed to extend attack resistance measures. This event also provided an opportunity to become more ingrained with the global community, create essential partnerships, and build new connections that continue beyond the competition.

The AWC started out with 29 teams and 677 hackers from 22 different countries. Entering the Final Round, 580 hackers across 25 teams were eliminated. The Final Four consisted of 97 remaining masterful hackers, representing the countries of France, Israel, Nepal, and Spain.

The following Adobe products participated in the competition:

• Adobe Commerce
• Photoshop Web
• Lightroom Web
• Identity Management System (IMS)
• Adobe Firefly
• Acrobat Sign

The event was a great success with Adobe receiving over 200 vulnerabilities from over 80 world-class hackers helping us to proactively harden our products. The feedback we received from the community was overwhelmingly positive, due to our programs’ broad scope, transparency, and inclusive engagement with hackers. We received invaluable input from our interactions with the hackers. Not only with the typical interactions, but also their feedback on what makes a bug bounty program great. For example, what incentivizes them to work in a particular company’s program, do they prefer to work alone or in groups, any pet peeves when bug hunting… etc. We’re looking forward to continuing our collaboration next year.

Hear from our Top Hackers

We had the opportunity to collaborate with some of the brightest from the hacker community. Here’s a snapshot of some of the highlights:

The France team decided to work on Adobe’s program as we felt this was where the most interesting targets would be. Communication was smooth and response times were fast. Great experience! It was cool having privileged access to Adobe products for the testing. I hope Adobe had as much fun as we had, and that all our work will bring them good value — after all, that’s the sense of the collaboration that bug bounty programs should bring.

– Blaklis, Team France, #49 bounty hunter on HackerOne’s Platform

By far, it has been the most professional team we have had in this edition of the Ambassadors World Cup 2023. Adobe’s team was super responsive during the event making sure to answer questions and provide documentation and feedback to all the researchers. We would also like to highlight their transparency during the resolution of the reports, quickly making triages and paying all while clearly communicating their goals and what they expected from us. This has helped us improve our overall performance by boosting our motivation. We look forward to working with Adobe’s bug bounty team in future events and will certainly be happy to continue participating in their program.

– Djurado, Team Spain, #45 bounty hunter on HackerOne’s platform

It’s rare to see mature Bug Bounty programs able to offer above market standards bounty, acknowledge submissions very quickly, and paying bounties right within validation. Combining these factors with the fact that we also received positive feedback and appreciation for what we’ve found really pushed us forward to go deeper and find more impactful bugs within the program. We look forward to continuing work on Adobe’s program, even after the AWC event.

– Nagli, Team Israel, #6 bounty hunter on HackerOne’s platform

Team Nepal had one of the best experiences working with Adobe Bug Bounty in the AWC-2023. With a complex scope that included custom configurations, different setups, and various credentials, Adobe managed to fulfill all the hackers’ requests and queries surrounding it. The best thing about the Adobe Bug Bounty Program was the fast triage and rewards. It worked as a motivating factor for the team to hack even more on Adobe resulting in more and cooler bugs. Looking forward to seeing Adobe on the upcoming AWC-2024 as well.

– dhakal_ananda, Team Nepal, #62 bounty hunter on HackerOne’s platform

We’d like to thank HackerOne for organizing such an incredible event for companies to engage with the global hacker community. As we move into the new year, our team eagerly looks forward to creating deeper connections within the community by continuing to invest in hacker-driven events and providing more opportunities to help us protect Adobe and our products.

Join Adobe-VIP

If you are ready to join the Hall of Fame initiative and level-up your skills in security research, we invite you to apply for the Adobe-VIP program. As a member of Adobe-VIP, you’ll have the opportunity to work closely with our world-class team of security experts to help safeguard the digital experiences of millions of people around the globe, and on a much wider set of products than in our public program.