Adobe Transforms Public Vulnerability Disclosure Program into a Paid Bug Bounty Program | by Renae Kang | Jul, 2024
By Daniel Ventura, Manager of Product Security Incident Response Team (PSIRT)
As Adobe’s bug bounty programs continue to evolve, we seek to collaborate with more security researchers across the globe to help make a positive impact on securing the digital world at scale. Adobe offers two (2) bug bounty programs: a private bug bounty program, where proven hackers are offered exclusive access and incentives, and a public vulnerability disclosure program (VDP), which is open to everyone.
Last year, Adobe enhanced its private bug bounty program, inviting qualified researchers to apply for the program and work closely with our product security team to responsibly disclosure vulnerabilities found in our products.
To further deepen this collaboration and broaden opportunities for the researcher community, Adobe today is announcing the transformation of our public vulnerability disclosure program (VDP) into a paid public bug bounty program.
Adobe VDP Products Now Eligible for Monetary Rewards
Adobe is now expanding our investment in the community to make the bug bounty experience accessible for more researchers to get involved in our public bug bounty program and help secure the digital experiences of millions of people worldwide.
Alongside our private bug bounty program, the foundational Adobe Vulnerability Disclosure Program has long served as an outlet for security researchers to responsibly and ethically disclose security issues to Adobe. Having refined our program experience and further empowering the resilience of our products, Adobe is now eager to enhance our legacy VDP by transforming it into a paid public bug bounty program. By opening our program to a larger community of researchers, we aim to reinforce further protections for our products, services, and customers.
Today, we are excited to announce that researchers participating in our public bug bounty program who successfully identify and report vulnerabilities in the following products will be eligible for monetary rewards:
Year in Review: Adobe Private Bug Bounty Program
Over the past year, our Product Security Incident Response Team (PSIRT) scaled its private bug bounty program by onboarding Adobe desktop, web, and mobile apps, doubling bounty payout ranges, and reducing payout times for our bug bounty researchers by 20 percent.
Since then, Adobe has been actively engaging in the community by celebrating Adobe’s top researchers through the Adobe Researcher Hall of Fame initiative, participating in live hacking events such as the 2023 Ambassador World Cup (AWC) led by HackerOne Brand Ambassadors, and partnering with Nahamsec to support BSides San Francisco’s Bug Bounty Village.
As a result, we’ve seen massive success with growing engagement across our private program. So far in 2024, we’ve seen an 18 percent increase in overall hacker engagement. Our private bug bounty program has received 317 unique reports and paid out over $200,000 in bounties over the last three months. The PSIRT team has also made substantial efforts to improve the vulnerability disclosure experience for our security researchers, with 96 percent of reports meeting our response standards and our program delivering an average time to bounty of 18 days.
Get Involved: Help Adobe Build More Secure Products
As Adobe’s bug bounty programs continue to evolve and scale, we look forward to providing more opportunities to empower security researchers across the globe to engage and collaborate with us to help make a positive impact on securing the digital world.
To further encourage participation in Adobe’s public bug bounty program, Adobe is offering researchers additional incentives this year. If you are ready to make an impact in the digital world and level-up your hacking skills, we invite you to submit a report today on Adobe’s public bug bounty program and use code: AdobeLovesBugBounty24 to earn an additional 10 percent bounty.
Submit your bug report with code: AdobeLovesBugBounty24
Code expires December 31, 2024.
Additionally, we will be sponsoring the upcoming BSides Las Vegas event! If you’ll be there, come talk to our PSIRT team at the Adobe booth on August 7–8 or come find us at the HackerOne Recharge Day event on August 7.
