Security researchers in Adobe’s bug bounty program can now pick up rewards for finding vulnerabilities in Adobe Firefly and Content Credentials. The bug hunt will be open to members of Adobe’s private bug bounty program starting May 1.
Members of Adobe’s public bug bounty program will be eligible to work with Adobe Firefly and Content Credentials in the second half of 2024, and applications for the private program are open.
Both bug bounties are hosted on the HackerOne platform, which is open to security researchers globally.
Hackers can earn between $100 and $10,000, depending on the type and severity of the vulnerability.
“Not only do we just simply fix the vulnerabilities that are reported to us, but we also leverage the bug bounty program and some of the signals and trends that we get out of it as a type of feedback loop to our internal security teams,” said Adobe Product Security Incident Response Team Manager Daniel Ventura in an interview with TechRepublic. “So that we can all learn together and we can make our capabilities better as a whole.”
Ventura noted that while generative AI technology is relatively new, security researchers have quickly gotten up to speed on how to bug hunt within it. Adobe has partnered with HackerOne and Bug Bounty Village, a hacker conference organized by Ben Sadeghipour, aka NahamSec, to provide security researchers pathways to learning more about bug hunting in generative AI.
“Probably the biggest challenge is, you know, a lot of researchers are catching up to speed similar to organizations as they’re putting out new services and assets,” said Ventura.
Adobe Firefly presents unique bug-hunting challenges
Adobe Firefly is a family of generative AI models made to create images in Photoshop and other Adobe products. Adobe encourages security researchers to test Firefly for common vulnerabilities in generative AI. In particular, Adobe points researchers toward the OWASP Top Ten for Large Language Model Applications, which notes that LLM applications are especially vulnerable to prompt injections, data leakage, inadequate sandboxing and unauthorized code execution.
SEE: Our guide shows tips and tricks for using Adobe Photoshop most effectively. (TechRepublic)
Content Credentials provides important provenance information
Content Credentials adds secure metadata, watermarking and fingerprinting to AI art made in Adobe Firefly, Photoshop, Lightroom or other programs. Content Credentials attach to images’ information about the images’ creation and any editing that might have been done on them.
It is important that Content Credentials function well in order to ensure art is properly attributed, and to prevent the spread of deceptive images. In particular, Adobe wants to shut down possible ways to attach false Content Credentials.
The goal is to help creators who may use Content Credentials in their work and the broader security researcher community by sharing information about what vulnerabilities Content Credentials may have.
“The skills and expertise of security researchers play a critical role in enhancing security and now can help combat the spread of misinformation,” said Dana Rao, executive vice president, general counsel and chief trust officer at Adobe, in a statement to the press. “We are committed to working with the broader industry to help strengthen our Content Credentials implementation in Adobe Firefly and other flagship products to bring important issues to the forefront and encourage the development of responsible AI solutions.”
Adobe opens Security Researcher Hall of Fame
In order to add bragging rights to the monetary rewards, Adobe has opened a Security Researcher Hall of Fame for security researchers who make an exceptional impact in the bug bounty program. Researchers who score the most points in a quarter by making valid submissions to the bug bounty program can earn Adobe merchandise or a free 12-month subscription to Adobe’s Creative Cloud Suite, and their names will be displayed in the hall of fame.
“All in all, we hope this initiative helps cultivate a more rewarding experience for participating researchers,” Ventura wrote in a blog post.
Other AI bug bounty programs
AI bug hunts have proliferated with the rise of generative AI products and services over the last year. Google added certain generative AI vulnerabilities to its bug bounty program in October 2023. OpenAI has a bug bounty program for its AI models. Microsoft offers up to $15,000 to find bugs in Copilot.
This article was updated to better reflect how Content Credentials works.
