30840 policies in database
Link to program      
2015-03-04
2020-01-07
Adobe logo
Thank
Gift
HOF
Reward

Reward

Adobe

Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible.

Researchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.

Table of Contents

  1. Rewards

  2. Response Targets

  3. Process

  4. Eligible Vulnerabilities

  5. Adobe Commerce Guidelines

  6. Program Exclusions

  7. Disclosure

  8. Safe Harbor

  9. Minors

  10. Ineligible Participants

  11. Terms and Conditions

Rewards

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.

  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.

Tier 1: Adobe Commerce, Adobe Commerce B2B, and Magento Open Source

Scope:

  • Core software in Magento 2 Commerce, Commerce B2B, and Open Source default configuration

  • Bundled extensions

Tier 1 Payout Ranges

| Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9) | Low (0.1 - 3.9) |

| --------------------------| -----------------------| ------------------------- | -------------------- |

| $5,000 - $10,000 | $1,000 - $5,000 | $200 - $1,000 | $100 - $200 |

Payout adjustments:

  • ==Tier 1 product vulnerabilities that require admin panel access: $5,000 (maximum)==

Tier 2:

Scope:

  • account.magento.com

  • accounts.magento.cloud

  • u.magento.com

  • magentolive.com

  • imagine.magento.com

  • marketplace.magento.com

  • repo.magento.com

  • magentocommerce.com

  • magento.com

Tier 2 Payout Ranges

| Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9) | Low (0.1 - 3.9) |

| ------------- | ------------- | ------------- | ------------- | ------------- |

| $2,500 - $5,000 | $ 500 - $2,500 | $100 - $500 | $100 |

Payout adjustments:

  • Public repo secret leak: $1,000 (maximum)

  • Reflected XSS: $500 (maximum)

NOTE: bugs that impact more than one domain will only be eligible for a single bounty payment. Bugs in other Commerce sub-domains are NOT eligible for the program, nor are vulnerabilities in 3rd party web applications not developed by Commerce.

NOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.

Response Targets

Adobe makes every effort to meet the following SLAs for hackers participating in our program:

| Type of Response | SLA in business days |

|----------|--------------------|

| First Response | 1 day |

| Time to Triage | 2 days |

| Time to Resolution | dependent on severity and complexity |

We’ll try to keep you informed about our progress throughout the process.

Process

Your submission will be reviewed and validated by a member of the Product Security Incident Response Team.

  • When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.

  • Including a proof-of-concept for desktop vulnerabilities will expedite our investigation. We encourage you to use PGP encryption (key here).

  • If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. DNS-related vulnerabilities (e.g. subdomain takeover) are an exception and should be reported uniquely.

  • When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate.

Eligible Vulnerabilities

We encourage the coordinated disclosure of the following eligible web application vulnerabilities:

  • Cross-site scripting

  • Cross-site request forgery in a privileged context

  • Server-side code execution

  • Authentication or authorization flaws

  • Injection Vulnerabilities

  • Directory Traversal

  • Information Disclosure

  • Significant Security Misconfiguration (please follow best practice when reporting subdomain takeovers)

To receive credit, you must be the first reporter of a vulnerability. When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.

Adobe Commerce Guidelines

Please review the following guidelines before submitting your report:

  • DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here.

  • DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.

  • DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

  • DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.

  • DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations.

  • DO NOT cause a potential or actual denial of service of Magento applications and systems.

  • DO NOT use an exploit to view data without authorization or cause corruption of data.

  • DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

Program Exclusions

While we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program:

  • Content spoofing / text injection

  • Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]

  • Logout and other instances of low-severity Cross-Site Request Forgery

  • Cross-site tracing (XST)

  • Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)

  • Missing HTTP security headers

  • Missing cookie flags on non-sensitive cookies

  • Password and account recovery policies, such as reset link expiration or password complexity

  • Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)

  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms

  • Missing best practices in SSL/TLS configuration.

  • Clickjacking/UI redressing with no practical security impact

  • Software version disclosure

  • Username / email enumeration via Login Page or Forgot Password Page error messages

  • Methods to extend product trial periods.

  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.

  • Vulnerabilities in custom code developed by merchants / 3rd parties.

  • Vulnerabilities in 3rd party extensions or available from the extension market.

  • Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL.

  • Attacks requiring MITM or physical access to a user's device.

  • Vulnerabilities that require disabling security features enabled in default configurations.

Disclosure

In the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities. To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Minors

Minors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty.

Ineligible Participants

This program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria.

Terms and Conditions

  • Please use your own account for testing or research purposes. Do not attempt to gain access to another user’s account or confidential information.

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.

  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

  • When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).

  • Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.

  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.

  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

  • Please do not test for spam, social engineering, or denial of service issues.

  • Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.

  • Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.

  • Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.

In Scope

Scope Type Scope Name
android_application

com.adobe.reader

android_application

com.workfront.android.aware

android_application

com.adobe.lrmobile

android_application

com.adobe.scan.android

android_application

com.adobe.fas

android_application

com.adobe.echosign

application

Adobe Acrobat Reader DC

application

Photoshop

application

Lightroom

application

After Effects

application

Animate

application

Audition

application

Adobe AIR

application

Bridge

application

Character Animator

application

Creative Cloud Desktop Application

application

Digital Editions

application

Dreamweaver

application

Flash Player

application

Fonts

application

Framemaker

application

Illustrator

application

InCopy

application

InDesign

application

Media Encoder

application

Prelude

application

Premiere Pro

application

XD

application

Adobe Campaign

application

Adobe Experience Manager (AEM)

application

Lightroom Classic

application

XMP Toolkit

application

Distiller

application

Premiere Rush

application

Premiere Elements

application

Dimension

ios_application

com.iphone.workfront

ios_application

com.frame.FrameIO

ios_application

com.adobe.lrmobilephone

ios_application

com.adobe.lrmobile

other

Other

other

Workfront Outlook Plugin

other

Adobe Commerce, Commerce B2B and Commerce Open Source

web_application

*.acrobat.com

web_application

*.adobe.io

web_application

*.adobeaemcloud.com

web_application

*.adobecqms.net

web_application

*.bizible.com

web_application

*.marketo.com

web_application

*.mixamo.com

web_application

*.omniture.com

web_application

*.phonegap.com

web_application

*.tubemogul.com

web_application

*.typekit.com

web_application

account.adobe.com

web_application

accounts.adobe.com

web_application

acrobat.adobe.com

web_application

acrobatoauth.adobe.com

web_application

adminconsole.adobe.com

web_application

adobeid.services.adobe.com

web_application

adobelogin.com

web_application

adobestock.com

web_application

assets.adobe.com

web_application

auth.services.adobe.com

web_application

behance.net

web_application

campaign.adobe.com

web_application

captivateprime.adobe.com

web_application

cbconnection.adobe.com

web_application

cloud.acrobat.com

web_application

coldfusion.adobe.com

web_application

commerce.adobe.com

web_application

community.adobe.com

web_application

create.adobe.com

web_application

creative.adobe.com

web_application

creativecloud.adobe.com

web_application

documentcloud.adobe.com

web_application

documents.adobe.com

web_application

edex.adobe.com

web_application

exchange.adobe.com

web_application

experience.adobe.com

web_application

experiencecloud.adobe.com

web_application

fonts.adobe.com

web_application

gps.echosign.com

web_application

helpx.adobe.com

web_application

licenses.adobe.com

web_application

licensing.adobe.com

web_application

lightroom.adobe.com

web_application

marketing-assets.adobe.com

web_application

marketing.adobe.com

web_application

mobilemarketing.adobe.com

web_application

partners.adobe.com

web_application

photoshop.com

web_application

platform.adobe.com

web_application

portfolio.adobe.com

web_application

secure.echosign.com

web_application

shop.adobe.com

web_application

spark.adobe.com

web_application

status.adobe.com

web_application

stock.adobe.com

web_application

substance3d.com

web_application

theblog.adobe.com

web_application

xd.adobe.com

web_application

*.adobe.com

web_application

*.scene7.com

web_application

*.adobeconnect.com

web_application

*.tt.omtrdc.net

web_application

*.testdrive.workfront.com

web_application

*.proofhq.com

web_application

marketplace.magento.com

web_application

magentocommerce.com

web_application

repo.magento.com

web_application

magento.com

web_application

u.magento.com

web_application

imagine.magento.com

web_application

magentolive.com

web_application

account.magento.com

web_application

accounts.magento.cloud

web_application

app.frame.io

web_application

accounts.frame.io

web_application

socket.frame.io

web_application

applications.frame.io

web_application

developer.frame.io

web_application

workflow.frame.io

web_application

updates.frame.io

web_application

stream.frame.io

web_application

components.frame.io

web_application

api-v2.frame.io

web_application

api.frame.io

web_application

https://github.com/adobe/*

Out of Scope

Scope Type Scope Name
other

Magento 1 Enterprise (Commerce) and Community (Open Source) Editions


This program have been found on Hackerone on 2015-03-04.

FireBounty © 2015-2022

Legal notices | Privacy