Adobe first launched our Vulnerability Disclosure Program with HackerOne in 2015. Since then, the team has continued to expand its program to improve security across our products.
Adobe’s Senior Security Program Manager Pieter Ockers sat down for a Q&A session with the HackerOne team to discuss how our program has evolved over the last five years and the role that hacker-powered security, both bug bounties and response programs, plays into our overall security strategy.
Q. How do ethical hackers fit into Adobe’s comprehensive security strategy?
A: Adobe’s primary security priority is to help keep our customer’s data and experiences safe. We do this by building security into our product development and operational processes at the onset, and automating as many processes as possible. One of the main goals for the security team is to make secure development and operations as easy as possible for product teams and the company. Through our vulnerability disclosure program, primarily hosted on HackerOne, and regular penetration tests, the ethical hacker community helps augment our security team by enabling us to open up our products and services for review by a diverse population of security experts with many different perspectives and backgrounds. We think this added level of expertise and perspective helps us make our products better and safer for our users.
Q. Can you share a little bit about why you chose HackerOne?
A: Our initial motivation to use HackerOne’s platform was driven by the desire to migrate away from the previous vulnerability submission workflow. At the time, we were using a legacy web form to receive vulnerability submissions. This technology lacked many of the features that the HackerOne platform offered. We found HackerOne’s platform was best optimized for engagement with security researchers, and it was an easy decision to adopt their platform to execute on this program.
Once on the platform, we were able to scale our Product Security Incident Response Team (PSIRT) by using HackerOne’s triage services to better manage the increasing volume of bug submissions. Over time, we have also implemented incremental improvements through leveraging HackerOne’s API, integrating the platform into Adobe’s workflows. This allowed us to scale our vulnerability disclosure program along with the growth of Adobe.
Q. Adobe leverages hacker-powered security and the hacker community in a few different ways to satisfy various security needs. How has Adobe scaled and evolved programs over the years?
A: Adobe interfaces with the security community through a spectrum of engagement models, including (but not limited to):
- Vulnerability Disclosure Program
- Crowdsourced Pentests
- Magento Bug Bounty Program
Code reviews and pentests
Before Adobe introduces a major upgrade or new product, feature or online service offering, a code review and pentest is often performed by an external vendor. These traditional third-party reviews provide an additional layer of assurance to complement our internal security assessments and static code analysis that are part of our Secure Product Lifecycle (SPLC).
Vulnerability Disclosure Program
PSIRT is responsible for Adobe’s vulnerability disclosure program, and typically responds first to the security community’s submissions of vulnerabilities related to Adobe products, online services or web properties. Adobe launched its vulnerability disclosure program on HackerOne in August 2015. The HackerOne platform leveraged by Adobe offers researchers the opportunity to build a reputation and learn from others in the community, all while allowing Adobe to streamline workflows and scale resources establishing a single intake channel for vulnerabilities.
To benefit from a larger pool of security researchers, Adobe also uses crowdsourced pentests in tightly scoped, time-bound engagements involving an elite pool of pentesters targeting a single service offering or web application. This approach has helped supplement the traditional pentests against our online services by increasing code coverage and testing techniques.
Magento Bug Bounty Program
Adobe acquired Magento in 2018, and migrated its bug bounty program to HackerOne in early 2019. Our primary goal for this bounty program is to incentivize researchers to find and report bugs that represent systemic risks with the platform, and this program has successfully captured the expertise of the Magento community to help us harden the Magento platform.
Q. Measuring the success of hacker-powered security can be tough as you’re often trying to measure what doesn’t happen. How do you measure return on investment of your security initiatives?
A. Our customers expect to have a secure experience when using Adobe products and services, and investing in our security initiatives allows us to better serve our customers. For PSIRT initiatives we make every effort to keep our products safe and our customers happy. We strive to provide transparency and quick, helpful responses to external researchers, while keeping a pulse on media and social sentiment.
Q. What advice or lessons learned would you share for companies looking to consolidate vendors and scale their programs?
A. The key to a successful experience with the security research community is to start a vulnerability disclosure program with limited scope. Researchers expect, as they should, that vendors answer questions and react to submissions promptly. Launching a program before you have the capacity to handle the submissions could result in a poor experience for external researchers.
Once you have developed and tested your playbooks with a limited vulnerability disclosure program, you can expand incrementally to bigger and broader scoped programs seamlessly.
Q. Looking forward to the next five years, how do you see hacker-powered security and the industry more broadly evolving?
A. I believe this rapid shift to working remotely will open up more opportunities for remote, crowdsourced workers to play an even bigger role in contributing to the development of secure software.
I am optimistic that as the hacker and research community continues to grow in size and skill, they will surface complex vulnerabilities faster than any automated tool could (as well as continuing to proactively offer advice to developers and companies).
To learn more about all of our incident response efforts here at Adobe, please visit the Adobe Trust Center.