Join the hunt.
Adobe recognizes that the global security research community plays a vital role in protecting our customers and maintaining trust in our brand. Our bug bounty program engages researchers worldwide to identify and report vulnerabilities. If you have discovered a security vulnerability in an Adobe product or service, we encourage you to report it as soon as possible.
Rewards and recognitions
Payout Guidelines
Adobe offers monetary rewards for valid security vulnerabilities reported through our public bug bounty program. The reward amounts are determined based on the severity, impact, and exploitability of the reported issue, with higher payouts for vulnerabilities that have the greatest security impact.
To learn more about our reward structure and eligible vulnerabilities, visit our program page.
Note: the graph below outlines the payout ranges across both tier 1 and 2 products by severity level.
Security Researcher Hall of Fame
In addition to monetary rewards, we honor top contributors in our Security Researcher Hall of Fame, which celebrates those who have made exceptional contributions to enhancing the security of Adobe’s products and services.
Program scope
We welcome reports of security vulnerabilities that may affect the security or privacy of Adobe customers. To be eligible for a bounty, you must report security vulnerabilities in one or more of the following Adobe products and services, including but not limited to:
Reporting a vulnerability
All reports are reviewed and validated by HackerOne and Adobe’s product security teams. To help expedite our investigation and to speed payouts, please follow these guidelines:
- Provide clear, reproducible steps when submitting a vulnerability report, including the following details:
- Step-by-step instructions: Outline each step needed to reproduce the issue, from login (if applicable) to triggering the vulnerability.
- Specific URLs & endpoints: Provide exact affected locations where the issue occurs, including API endpoints.
- Expected vs. actual behavior: Clearly describe what should happen versus what actually happens due to the vulnerability.
- Screenshots & videos (if possible): Visual evidence helps clarify steps and impact.
- Payloads & code snippets: If injecting input (e.g., XSS, SQLi), include the exact payload used.
- Browser/environment details: Specify the OS, browser version, or tools used to reproduce the issue.
- Required pre-conditions: Note any necessary account permissions, configurations, or settings needed to trigger the vulnerability.
- Include a proof-of-concept (PoC) — preferably a video — with a dedicated “impact” section to help significantly speed up the review and validation process.
- Consolidate all affected hosts into a single report when the same vulnerability impacts multiple hosts within the same asset or domain. Bounties are awarded per unique vulnerability, not per affected host. If duplicate reports are submitted, only the first valid submission will be considered, while later reports will be marked as duplicates.
- Use PGP encryption for sensitive submissions. The PGP key is available here.
- Please review our terms and conditions on our program page.
For a full list of reporting requirements, please review the Rules of Engagement on the program page.
Security Researcher Hall of Fame
Earn Hall of Fame points to climb the ranks and earn special recognition for your contributions.
What is the Security Researcher Hall of Fame?
The Security Researcher Hall of Fame initiative provides an opportunity to recognize and celebrate the most impactful security researchers who have demonstrated tremendous dedication to their craft and helped strengthen protections for our products, services, and customers.
We welcome all security researchers, from hobbyists to full-time ethical hackers, to participate in the Security Researcher Hall of Fame by submitting a report to the Adobe Bug Bounty Program.
How do I earn points?
Researcher points will be awarded for each valid submission to the Adobe Bug Bounty Program. Researcher points will accumulate for a final score calculated at the end of each testing period. To help ensure equal opportunity for all, researcher points will reset at the beginning of each testing period.
What is the scoring process?
Any valid and unique submission reported to the Adobe Bug Bounty Program will be awarded Hall of Fame points based on the table below. Adobe's standard policy scope and exclusions apply.
What is the testing period?
Each testing period lasts one year, starting every September and ending the next September. Announcements for Adobe's Top 10 researchers occur every October.
What are the rewards?
At the end of each testing period, total researcher points will be tallied for all participating researchers and the top ten point earners will be announced. In addition to being commemorated in the Hall of Fame initiative, each top ten researcher will be eligible to choose one of the following rewards:
12-month subscription to Adobe Creative Cloud
Black Jacket - OGIO Crux Soft Shell
Daybreak Recycled 15" Laptop Backpack + Valhalla Copper Vacuum Insulated Tumbler 16oz
Security Researcher Hall of Fame Winners
Anonymous
