Following on Peleus’ ‘We Care’ post, we thought this would be a good place to give a more thorough description of Adobe’s Product Security Incident Response Team (or PSIRT) process. Much of the work ASSET does is on the proactive side, preventing software vulnerabilities before a product ships. Adobe’s PSIRT is the part of the ASSET organization that responds to security issues that are discovered by external security researchers, partners, customers and others after a product ships. Here’s a step-by-step description of our process; note that some of these steps overlap and happen in parallel:
- Adobe PSIRT receives information about security vulnerabilities through numerous channels, including (but not limited to):
- Adobe PSIRT responds to the person who reported the issue (let’s call them the ‘researcher’), acknowledging the report and asking for a proof-of-concept file to demonstrate the vulnerability, if applicable.
- Adobe PSIRT logs the issue in the Incident Response Database for tracking purposes. An Incident ID is automatically generated at this point, and passed along to the researcher.
- Adobe PSIRT sends the report to the relevant product team’s PSRT (Product Security Response Team) for verification. The product team’s PSRT includes a collection of Development, Quality and Program Managers, along with Developers, Quality Engineers and Product Managers.
- ASSET helps reproduce the bug and assists the product team with severity analysis. If reproducible, the product team (or ASSET, if appropriate) logs an internal Adobe bug for the issue.
- The product team investigates the issue and develops a fix, or workaround. ASSET helps to verify the fix.
- Any fix will be ported to all supported versions, as well as any version(s) currently under development.
- Adobe PSIRT responds back to the researcher, informing them that the issue has been reproduced and a fix is being investigated
- As soon as possible, Adobe PSIRT communicates a proposed timeline for a patch to the researcher.
- Adobe encourages the responsible disclosure of vulnerabilities in our products, so the researcher is asked to keep the vulnerability confidential until a fix is available. Our goal is to keep our customers as secure as possible, so we want to keep the vulnerability information from malicious hackers.
- The product team produces patches for all supported product versions, as quickly as possible. Adobe PSIRT passes along any relevant status updates to the researcher and answers any questions they may have.
- Adobe PSIRT produces a Security Bulletin draft for the issue. The Security Bulletin text is reviewed by internal Adobe stakeholders.
- Adobe PSIRT passes the patch to the researcher for verification, if possible.
- Adobe PSIRT sends the Security Bulletin text to the External Security Researcher for review; the Security Bulletin includes an acknowledgment to the researcher thanking them for their help with the issue.
- Adobe PSIRT works with MITRE Corporation to generate CVE identifiers for any relevant issues.
- The Security Bulletin is posted to http://www.adobe.com/support/security/ along with the product patch(es).
- Adobe PSIRT posts a link to the Security Bulletin on the PSIRT blog (http://blogs.adobe.com/psirt/) to inform customers who have subscribed to the RSS feed. Customers are encouraged to sign up for the RSS feed by clicking on the link towards the bottom on the right side of the landing page for the most timely notification for security issues.
- Adobe PSIRT coordinates a notification e-mail, sent to customers who have signed up for bulletin notification e-mails.
- Customers update their product installations, and the researcher posts their own advisory, if applicable, once the patch is available for customers.
And that is how our PSIRT process works! It can be a complicated process, and we really appreciate the help of all of the security researchers who have cooperated with us, and been patient with us over the years as we fine-tune it. If you have any questions about the process (or, of course, any security vulnerabilities to report to us), please don’t hesitate to contact PSIRT@adobe.com.