Adobe’s bug bounty program now rewards security researchers for finding vulnerabilities in Adobe Firefly and Content Credentials. The bug hunt is open to members of Adobe’s private bug bounty program starting May 1.
Members of Adobe’s public bug bounty program will have the opportunity to work with Adobe Firefly and Content Credentials in the second half of 2024, with applications for the private program currently open.
Both bug bounties are hosted on the HackerOne platform, which is accessible to security researchers worldwide.
Hackers can earn rewards ranging from $100 to $10,000, based on the type and severity of the discovered vulnerability.
“Not only do we fix reported vulnerabilities, but we also utilize the bug bounty program as a feedback loop to enhance our internal security teams,” said Adobe Product Security Incident Response Team Manager Daniel Ventura. “This allows us to learn and improve our overall security capabilities.”
Ventura highlighted that security researchers have quickly adapted to bug hunting within generative AI technology. Adobe has partnered with HackerOne and Bug Bounty Village to provide pathways for researchers to learn more about bug hunting in generative AI.
One of the main challenges is researchers catching up to the pace of organizations releasing new services and assets, according to Ventura.
Adobe Firefly presents unique bug-hunting challenges
Adobe Firefly comprises generative AI models designed to produce images in Adobe products like Photoshop. Security researchers are encouraged to test Firefly for vulnerabilities common in generative AI. Specifically, Adobe directs researchers towards the OWASP Top Ten for Large Language Model Applications, which outlines vulnerabilities such as prompt injections, data leakage, inadequate sandboxing, and unauthorized code execution in LLM applications.
SEE: Our guide offers tips and tricks for maximizing the use of Adobe Photoshop effectively. (TechRepublic)
Content Credentials provides critical provenance information
Content Credentials add secure metadata, watermarking, and fingerprinting to AI-generated art in Adobe products like Firefly, Photoshop, and Lightroom. These credentials include information about the creation and editing of images, ensuring proper attribution and preventing the dissemination of deceptive images. Adobe aims to address potential vulnerabilities in Content Credentials to assist creators and the security researcher community.
“The skills and expertise of security researchers are vital in enhancing security and combating misinformation,” said Dana Rao, executive vice president, general counsel, and chief trust officer at Adobe.
Adobe introduces Security Researcher Hall of Fame
Adobe has launched a Security Researcher Hall of Fame to recognize researchers who make significant contributions to the bug bounty program. Top researchers in a quarter can earn Adobe merchandise, a free 12-month subscription to Adobe’s Creative Cloud Suite, and have their names featured in the hall of fame.
“We hope this initiative enhances the experience for participating researchers,” Ventura mentioned in a blog post.
Other AI bug bounty programs
The increase in generative AI products has led to a rise in AI bug bounty programs. Google included generative AI vulnerabilities in its bug bounty program in October 2023. OpenAI and Microsoft also offer bug bounty programs for their AI models.
This article has been updated to provide a clearer understanding of how Content Credentials work.
