Adobe enters bug hunting programme

Adobe is now offering recognition – but not money – to hackers who find security flaws in its software.

The company has joined the HackerOne forum to tap the external community of technical experts able to exploit weaknesses in its code. A blog post on 4 March said the move recognised the “important role that independent security researchers play”.

The rules are simple. The hunt is limited to web applications. Those who are the first to report a non-trivial vulnerability (a list of trivial ones is provided), and who wait for Adobe to rectify it before they go public, are awarded recognition points.

Adobe’s decision not to offer cash bounties is likely to attract a different breed of bug hunter to those buzzing around other Silicon Valley properties. Last year, Facebook paid out $1.3 million in bug bounties, with the top five earners netting over $250,000 between them. India contributed the single largest number of bug reports by territory, followed by Egypt, the US, the UK and the Philippines.

Google paid out even more, with $1.5 million going to researchers. Its largest single award was $150,000, which also earned the bounty-hunter an internship with the company.