At Adobe we recognize that our customers benefit when we take a collaborative approach to vulnerability disclosure. We pride ourselves on the symbiotic relationship we’ve cultivated with the security community and continue to value the contributions that security researchers of all stripes make to hardening our software.
As a measure of the value we place in external code reviews and security testing, Adobe interfaces with the security community through a spectrum of engagement models, including (but not limited to):
- Traditional third-party code reviews and pen-tests
- Crowd-sourced pen-tests
- Voluntary disclosures to our Product Security Incident Response Team (PSIRT)
- Submissions to our web application disclosure program on HackerOne
Code reviews and pen-tests
Before Adobe introduces a major upgrade or new product, feature or online service offering, a code review and pen-test is often performed by an external security company. These traditional third-party reviews provide a layer of assurance to complement our internal security assessments and static code analysis that are part of our Secure Product Lifecycle (SPLC).
To benefit from a larger pool of security researchers, Adobe also uses crowd-sourced pen-tests in tightly scoped, time-bound engagements involving an elite pool of pen-testers targeting a single service offering or web application. This approach has helped supplement the traditional pen tests against our online services by increasing code coverage and testing techniques.
Disclosures to PSIRT
The Product Security Incident Response Team (PSIRT) is responsible for Adobe’s vulnerability disclosure program, and typically responds first to the security community’s submissions of vulnerabilities affecting an Adobe product, online service or web property. In addition to its role as conduit with external researchers, PSIRT partners with both internal and external stakeholders to ensure vulnerabilities are handled in a manner that both minimizes risk to customers and encourages researchers to disclose in a coordinated fashion.
Disclosures via HackerOne
In March 2015, Adobe launched its web application vulnerability disclosure program on HackerOne. This platform offers researchers the opportunity to build a reputation and learn from others in the community, while allowing vendors to streamline workflows and scale resources more effectively.
As new bug hunting and reporting platforms enable part-time hobbyists to become full-time freelance researchers, we look forward to continuing a constructive collaboration with an ever-widening pool of security experts.
PSIRT Security Program Manager
Product Security Manager