Adobe Bug Bounty Program

Reporting a vulnerability

All reports are reviewed and validated by HackerOne and Adobe’s product security teams. To help expedite our investigation and to speed payouts, please follow these guidelines:

• Provide clear, reproducible steps when submitting a vulnerability report, including the following details:
  • Step-by-step instructions: Outline each step needed to reproduce the issue, from login (if applicable) to triggering the vulnerability.
  • Specific URLs & endpoints: Provide exact affected locations where the issue occurs, including API endpoints.
  • Expected vs. actual behavior: Clearly describe what should happen versus what actually happens due to the vulnerability.
  • Screenshots & videos (if possible): Visual evidence helps clarify steps and impact.
  • Payloads & code snippets: If injecting input (e.g., XSS, SQLi), include the exact payload used.
  • Browser/environment details: Specify the OS, browser version, or tools used to reproduce the issue.
  • Required pre-conditions: Note any necessary account permissions, configurations, or settings needed to trigger the vulnerability.
• Include a proof-of-concept (PoC) — preferably a video — with a dedicated “impact” section to help significantly speed up the review and validation process.
• Consolidate all affected hosts into a single report when the same vulnerability impacts multiple hosts within the same asset or domain. Bounties are awarded per unique vulnerability, not per affected host. If duplicate reports are submitted, only the first valid submission will be considered, while later reports will be marked as duplicates.
• Use PGP encryption for sensitive submissions. The PGP key is available here.
• Please review our terms and conditions on our program page.

For a full list of reporting requirements, please review the Rules of Engagement on the program page.

Security Researcher Hall of Fame

Earn Hall of Fame points to climb the ranks and earn special recognition for your contributions.

What is the Security Researcher Hall of Fame?
The Security Researcher Hall of Fame initiative provides an opportunity to recognize and celebrate the most impactful security researchers who have demonstrated tremendous dedication to their craft and helped strengthen protections for our products, services, and customers.

We welcome all security researchers, from hobbyists to full-time ethical hackers, to participate in the Security Researcher Hall of Fame by submitting a report to the Adobe Bug Bounty Program.

How do I earn points?
Researcher points will be awarded for each valid submission to the Adobe Bug Bounty Program. Researcher points will accumulate for a final score calculated at the end of each testing period. To help ensure equal opportunity for all, researcher points will reset at the beginning of each testing period.

What is the scoring process?
Any valid and unique submission reported to the Adobe Bug Bounty Program will be awarded Hall of Fame points based on the table below. Adobe's standard policy scope and exclusions apply.

What is the testing period?
Each testing period lasts one year, starting every September and ending the next September. Announcements for Adobe's Top 10 researchers occur every October.

What are the rewards?
At the end of each testing period, total researcher points will be tallied for all participating researchers and the top ten point earners will be announced. In addition to being commemorated in the Hall of Fame initiative, each top ten researcher will be eligible to choose one of the following rewards:

Security Researcher Hall of Fame Winners