Attention Security Researchers: Level Up Your Skills and Join Our Private Bug Bounty Program

Adobe has been an active participant in the security community for many years, engaging with partners, standards organizations, and security researchers to collectively enhance the security of our products. To expand our bug bounty efforts and grow deeper engagement with our network of security researchers, we are now inviting all qualified security researchers on the HackerOne platform to submit an application to join our enhanced Adobe-VIP private bug bounty program.

The Adobe-VIP private bug bounty program is maintained by our Product Security Incident Response Team (PSIRT) and is designed for engagement with security researchers who are eager to work more closely with our teams to proactively identify and quickly resolve issues that could impact Adobe and our customers. The private bug bounty program offers rewards to researchers who successfully detect and report exploitable vulnerabilities to Adobe.

Over the past year, we have scaled the private bug bounty program by onboarding all Adobe desktop and mobile apps, doubled maximum bounty payout ranges, and reduced the time to payout for our bug bounty researchers. More recently, we have been experimenting with monthly bounty multiplier campaigns, to better engage and learn with our bug bounty researchers. For example, the Adobe-VIP program hosts a monthly bonus bounty campaign that rewards researchers for demonstrating a proof-of-concept on an Adobe product for new CVEs listed in the Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerability (KEV) catalog. This campaign helps build resilience and trust in our products, but also helps incentivize and shift the focus of the security researcher community to think about vulnerability research in new ways. All in all, we hope these enhancements to the Adobe private bug bounty program helps cultivate a more rewarding experience for participating researchers.

Our private bug bounty program builds upon our well-established public Vulnerability Disclosure Program (VDP) on the HackerOne platform. The foundational VDP program has long provided an outlet for security researchers to responsibly and ethically disclose security issues to Adobe and has helped us build a stronger community of researchers around the globe. We see this public bounty program as another layer and force-multiplier in providing safer digital experiences.

If you are ready to join the Adobe private bug bounty program and level-up your skills in security research, we invite you to apply for the Adobe-VIP program. As a member of Adobe-VIP, you’ll have the opportunity to work closely with our world-class team of security experts to help safeguard the digital experiences of millions of people around the globe, and on a much wider set of products than in our public program.

As Adobe’s bug bounty program continues to grow and scale, we will engage the security community to seek ways to empower researchers. In future blog posts, we look forward to continuing the conversation on our bug bounty journey by celebrating some of our top bug bounty researchers and highlighting key insights we learn along the way. Stay tuned.