Adobe Announces Researcher Hall of Fame Initiative for Security Researchers

By Daniel Ventura, Manager of Product Security Incident Response Team (PSIRT)

At Adobe, we are committed to fostering collaboration with our network of security researchers and empowering them in new ways to help collectively enhance the security of Adobe products.

To recognize the researchers who help us protect our customers, we’re excited to launch our new Researcher Hall of Fame (HoF) initiative . This initiative is a public forum expressing our gratitude and offering recognition to security researchers who take part in the Adobe’s vulnerability disclosure program (VDP) and private bug bounty program helping us proactively find and fix potential weaknesses in products before they reach our users.

Researcher Hall of Fame Overview

By participating in the Hall of Fame initiative, researchers will not only help build resilience and trust in Adobe’s products, but they will also be able to develop new skills and find new ways to think about vulnerability research. Beyond this, they will be given opportunities to build their reputation, receive recognition and rewards, and be recognized as a top researcher in their craft. All in all, we hope this initiative helps cultivate a more rewarding experience for participating researchers.

The Hall of Fame is open to everyone, as long as they have a HackerOne account — to create an account please visit this page. Any accepted submission with a valid security impact in our public or private bounty HackerOne program will subsequently receive Hall of Fame points. (Note: please refer to ‘exclusions’ on our HackerOne policy page for out-of-scope testing.)

The initiative officially begins on September 1, 2023, and winners will be announced on a quarterly basis. Upcoming reporting periods include:

• September 1, 2023 — November 30, 2023
• December 1, 2023 — February 28, 2024
• March 1, 2024 — May 31, 2024
• June 1, 2024 — August 31, 2024

Get started right away to qualify for our September start date at hackerone.com/adobe or apply to join Adobe’s Private Bug Bounty Program here.

How Do Points Work?

We award researchers points for each valid vulnerability reported to Adobe, and points are calculated exclusively by severity.

When uploading a submission on HackerOne, researchers will be asked to indicate the severity of their report. Once received, Adobe will validate and confirm the severity prior to awarding Hall of Fame Points.

Points are measured as follows:

• Low severity: 1 point
• Medium severity: 2 points
• High severity: 6 points
• Critical severity: 10 points

As a top reward, we are offering 20 points for reports demonstrating a viable proof-of-concept against a CISA Known Exploited Vulnerability.

Eligible vulnerabilities include reports with a valid security impact impacting Adobe’s data, services, or customers are in-scope (please refer to ‘exclusions’ on our HackerOne policy page for out-of-scope testing).

After the report is triaged, Adobe will confirm the awarded Hall of Fame points on each report.

Leaderboards, Rewards, and Recognition

At the end of each quarter, the top 10 researchers that have earned the most points during the testing period will be considered the winners for the quarter. Winners will be celebrated on Adobe’s Security page, highlighting their Name, Social Handle, and Hall of Fame points mentioned in a celebratory post.

The winners from each quarter will have the option to choose one of the following prizes:

• 12-month Subscription to Adobe’s Creative Cloud Suite
• The North Face® Chest Logo Pullover Hoodie
• 40 oz Thermos with Handle and Straw + Nike Dri-FIT Cotton/Poly T-shirt
• The North Face Canyon Flats Fleece Jacket

Enhancing Security Through Community Collaboration

To continuously keep pace with emerging technologies and vulnerabilities, it’s essential to keep the pace of constant collaboration and innovation. Through this initiative, our goal is to create more opportunities to work together with the security community, empowering researchers with exciting and creative challenges to continuously build their skills and recognize ethical hacking for the betterment of society.

“By definition, the challenges we are faced with in security are adversarial. We are not only defending against reliability issues, but on the other side, there is an adversary who is actively probing defenses and is looking to bypass them. Nothing is more important than the network you build. Finding skilled individuals to collaborate with grows your own capabilities.” — Maarten Van Horenbeeck, Chief Security Officer at Adobe

In May, we announced our enhanced Adobe-VIP private bug bounty program, designed to expand Adobe’s long-standing bug bounty efforts and further engage with security researchers to proactively identify and quickly resolve issues that could impact Adobe and its customers.

If you are ready to join the Hall of Fame initiative and level-up your skills in security research, we invite you to apply for the Adobe-VIP program. As a member of Adobe-VIP, you’ll have the opportunity to work closely with our world-class team of security experts to help safeguard the digital experiences of millions of people around the globe, and on a much wider set of products than in our public program.

Stay tuned for more updates on public recognition and rewards structure on the Adobe Security page.