[{"id":3771392,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Eligible AI Vulnerabilities](#user-content-eligible-ai-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [AI Scope Overview](#user-content-ai-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Program AI Specific Exclusions](#user-content-program-ai-specific-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n* If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Eligible AI Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the eligible AI application vulnerabilities listed below, along with other similar vulnerabilities. Before submitting any finding, please review the **Program AI Specific Exclusions** for out-of-scope vulnerabilities.\n\n| Vulnerability Category | Vulnerability Examples | Scenario Examples | Desired Impact | \n|----------|----------|----------|----------|\n| Generative AI Vulnerabilities |  Cross- Prompt Injection Attacks (XPIA) - embeds adversarial instructions within third-party content that the AI system retrieves and processes | An attacker uploads a corporate logo with manipulated EXIF/IPTC metadata to inject malicious instructions. | data exfiltration, privilege escalation, jailbreaking of safety guardrails, credential theft, unauthorized actions through tool use, and content manipulation |\n| Agentic AI Vulnerabilities | Unauthorized API Calls, Tool chaining attacks, Parameter injection, Authentication and Authorization issues | An agent with file read, file write, and web request tools can be manipulated to read sensitive files, encode them, and POST to external servers, none of which individually appears malicious. | data exfiltration, privilege escalation, persistent backdoor |\n| MCP Vulnerabilities | Compromised MCP Servers, Context poisoning via MCP, Tool Response Manipulation,  MCP Protocol Exploits, Unauthorized MCP Server Discovery | Compromise DNS to redirect MCP client connections to malicious servers with similar names. | data exposure, unauthorized tool execution, cross-tenant access, prompt injection leading to real-world actions  | Training Data Vulnerabilities | Backdoor Injection, Training data memorization, Poisoned Pre-trained models, Infrastructure compromise | Attacker can determine whether specific sensitive data was included in the model’s training dataset. | privacy violations, confidential data exposure, model integrity compromise, unauthorized dataset disclosure |\n| Model-Level Vulnerabilities | Model backdoors and trojans | Poisoning training data with triggered examples in order to cause specific incorrect predictions. | targeted misclassification, data exfiltration, jailbreaking |\n\n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# AI Scope Overview\n -------------------------------------------------------------------------------------------------------------\n**Important:** Please monitor this AI Asset list, as it is subject to updates.\n\n| AI Target | Enabled on | Details | \n|----------|----------|----------|\n| Acrobat AI Assistant | acrobat.adobe.com | AI Assistant allows you to engage in intelligent, context-aware conversations about your documents. |\n| Acrobat PDF Spaces | acrobat.adobe.com | PDF Spaces allow you to add multiple files and links, get AI-powered insights, and organize your research in one conversational knowledge hub. It uses the added files and links to generate summaries, answer questions, and surface key insights. More info: https://helpx.adobe.com/acrobat/web/explore-pdf-spaces/create-pdf-spaces.html |\n| Acrobat Create Presentations | acrobat.adobe.com |  The Generate presentation tool in Adobe Acrobat uses generative AI and Adobe Express design capabilities to build structured, ready-to-edit presentations from simple prompts or existing documents. More info: https://helpx.adobe.com/acrobat/web/create-pdfs/create-presentations/overview.html |\n| Acrobat Create Podcast | acrobat.adobe.com | Create podcast feature in Acrobat turns almost any document or PDF Space into a quick, engaging audio overview, ideal for fast learning, hands‑free review, or accessible listening. More info: https://helpx.adobe.com/acrobat/web/use-acrobat-ai/podcasts/create-podcast.html |\n| Express AI Assistant | new.express.adobe.com | AI Assistant helps you explore, create, and edit content using prompts. More info: https://helpx.adobe.com/express/web/ai-assistant/adobe-express-ai-assistant-overview.html |\n| Firefly Image Models | firefly.adobe.com | Create visually captivating content by generating images from simple text descriptions. More info: https://helpx.adobe.com/firefly/web/generate-images-with-text-to-image/generate-images-using-text-prompts/create-images-from-text-prompts.html |\n| Firefly Video Model | firefly.adobe.com |  Firefly Video model helps you to generate videos and add them to the timeline in Firefly video editor. More info: https://helpx.adobe.com/firefly/web/firefly-video-editor/generate-videos/generate-video-using-firefly-models.html |\n| Lightroom AI Edits  | lightroom.adobe.com | Open and edit a photo using the following AI-powered features: Generative Remove, Lens Blur, Adaptive Profile, Masking. More info: https://helpx.adobe.com/ro/lightroom-cc/web/edit-photos/manage-ai-edits.html  |\n| Lightroom \"Edit suggestions\" Tech preview | lightroom.adobe.com | This AI feature can suggest you adjustments like: exposure and contrast fixes, color corrections (white balance, vibrance), tone and lighting improvements, preset-style enhancements and apply these suggestions with one click. |\n| Photoshop AI Assistant | photoshop.adobe.com | AI Assistant helps you to perform specific edits to enhance the images. More info:  https://helpx.adobe.com/photoshop/web/edit-images/retouch/edit-images-with-ai-assistant.html |\n| Stock Customize  | stock.adobe.com | AI-powered Customize makes searching and evaluating your stock content easy. It helps you speed up your workflow when you make edits to single or multiple images and view your search history, all in one place. More info: https://helpx.adobe.com/stock/how-to/refine-your-search-with-customize1.html |\n\n\n\n\n\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com.\n*  Rate limiting bypasses, race conditions, and concurrency-related findings are considered out of scope unless they demonstrate a significant and tangible security impact. Minor over-utilization of features through concurrent requests — such as exceeding a soft usage limit (e.g., triggering additional PDF conversions beyond the intended threshold) — does not constitute a valid security vulnerability, as the associated risk is accepted within our current threat model. \n\n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n- Reports solely based on an LLM generating misleading, or factually incorrect content in response to user prompts are out of scope, unless the behavior demonstrates a clear and reproducible security impact (e.g., unauthorized access, data exposure, or policy bypass).\n\n# Program AI Specific Exclusions\n ---------------------------------------------------------------------------------------------------------\nGeneral exclusions: \n- Prompt Influence Without Backend Impact: Prompting techniques (including system-style or instruction-based prompts) that may influence model responses but do not bypass backend authorization checks, access restricted data, or alter enforced system behavior. (e.g a prompt injection disclosing generic guidelines followed by any model)\n- Role Confusion Without Unauthorized Disclosure: Role ambiguity or role-play behavior that does not lead to disclosure of internal system prompts, policies, secrets, credentials, or other non-public information.\n- Model Response Deviation Without Security Control Bypass: Divergence, hallucinations, or deviations from expected safety or response behavior that do not bypass security controls, enforcement mechanisms, or trust boundaries.\n- LLM Interpretation and Reasoning Limitations: Known limitations in LLMs related to intent inference, semantic understanding, visual interpretation, or trust-boundary assumptions where no exploitability or security impact is demonstrated.\n\nProduct specific exclusions:\n- Photoshop:  Any vulnerabilities associated with the AI Features’ usage limits on the free tier are considered out of scope. \n\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-19T16:38:34.038Z"},{"id":3771391,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Eligible AI Vulnerabilities](#user-content-eligible-ai-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [AI Scope Overview](#user-content-ai-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Program AI Specific Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n* If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Eligible AI Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the eligible AI application vulnerabilities listed below, along with other similar vulnerabilities. Before submitting any finding, please review the **Program AI Specific Exclusions** for out-of-scope vulnerabilities.\n\n| Vulnerability Category | Vulnerability Examples | Scenario Examples | Desired Impact | \n|----------|----------|----------|----------|\n| Generative AI Vulnerabilities |  Cross- Prompt Injection Attacks (XPIA) - embeds adversarial instructions within third-party content that the AI system retrieves and processes | An attacker uploads a corporate logo with manipulated EXIF/IPTC metadata to inject malicious instructions. | data exfiltration, privilege escalation, jailbreaking of safety guardrails, credential theft, unauthorized actions through tool use, and content manipulation |\n| Agentic AI Vulnerabilities | Unauthorized API Calls, Tool chaining attacks, Parameter injection, Authentication and Authorization issues | An agent with file read, file write, and web request tools can be manipulated to read sensitive files, encode them, and POST to external servers, none of which individually appears malicious. | data exfiltration, privilege escalation, persistent backdoor |\n| MCP Vulnerabilities | Compromised MCP Servers, Context poisoning via MCP, Tool Response Manipulation,  MCP Protocol Exploits, Unauthorized MCP Server Discovery | Compromise DNS to redirect MCP client connections to malicious servers with similar names. | data exposure, unauthorized tool execution, cross-tenant access, prompt injection leading to real-world actions  | Training Data Vulnerabilities | Backdoor Injection, Training data memorization, Poisoned Pre-trained models, Infrastructure compromise | Attacker can determine whether specific sensitive data was included in the model’s training dataset. | privacy violations, confidential data exposure, model integrity compromise, unauthorized dataset disclosure |\n| Model-Level Vulnerabilities | Model backdoors and trojans | Poisoning training data with triggered examples in order to cause specific incorrect predictions. | targeted misclassification, data exfiltration, jailbreaking |\n\n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# AI Scope Overview\n -------------------------------------------------------------------------------------------------------------\n**Important:** Please monitor this AI Asset list, as it is subject to updates.\n\n| AI Target | Enabled on | Details | \n|----------|----------|----------|\n| Acrobat AI Assistant | acrobat.adobe.com | AI Assistant allows you to engage in intelligent, context-aware conversations about your documents. |\n| Acrobat PDF Spaces | acrobat.adobe.com | PDF Spaces allow you to add multiple files and links, get AI-powered insights, and organize your research in one conversational knowledge hub. It uses the added files and links to generate summaries, answer questions, and surface key insights. More info: https://helpx.adobe.com/acrobat/web/explore-pdf-spaces/create-pdf-spaces.html |\n| Acrobat Create Presentations | acrobat.adobe.com |  The Generate presentation tool in Adobe Acrobat uses generative AI and Adobe Express design capabilities to build structured, ready-to-edit presentations from simple prompts or existing documents. More info: https://helpx.adobe.com/acrobat/web/create-pdfs/create-presentations/overview.html |\n| Acrobat Create Podcast | acrobat.adobe.com | Create podcast feature in Acrobat turns almost any document or PDF Space into a quick, engaging audio overview, ideal for fast learning, hands‑free review, or accessible listening. More info: https://helpx.adobe.com/acrobat/web/use-acrobat-ai/podcasts/create-podcast.html |\n| Express AI Assistant | new.express.adobe.com | AI Assistant helps you explore, create, and edit content using prompts. More info: https://helpx.adobe.com/express/web/ai-assistant/adobe-express-ai-assistant-overview.html |\n| Firefly Image Models | firefly.adobe.com | Create visually captivating content by generating images from simple text descriptions. More info: https://helpx.adobe.com/firefly/web/generate-images-with-text-to-image/generate-images-using-text-prompts/create-images-from-text-prompts.html |\n| Firefly Video Model | firefly.adobe.com |  Firefly Video model helps you to generate videos and add them to the timeline in Firefly video editor. More info: https://helpx.adobe.com/firefly/web/firefly-video-editor/generate-videos/generate-video-using-firefly-models.html |\n| Lightroom AI Edits  | lightroom.adobe.com | Open and edit a photo using the following AI-powered features: Generative Remove, Lens Blur, Adaptive Profile, Masking. More info: https://helpx.adobe.com/ro/lightroom-cc/web/edit-photos/manage-ai-edits.html  |\n| Lightroom \"Edit suggestions\" Tech preview | lightroom.adobe.com | This AI feature can suggest you adjustments like: exposure and contrast fixes, color corrections (white balance, vibrance), tone and lighting improvements, preset-style enhancements and apply these suggestions with one click. |\n| Photoshop AI Assistant | photoshop.adobe.com | AI Assistant helps you to perform specific edits to enhance the images. More info:  https://helpx.adobe.com/photoshop/web/edit-images/retouch/edit-images-with-ai-assistant.html |\n| Stock Customize  | stock.adobe.com | AI-powered Customize makes searching and evaluating your stock content easy. It helps you speed up your workflow when you make edits to single or multiple images and view your search history, all in one place. More info: https://helpx.adobe.com/stock/how-to/refine-your-search-with-customize1.html |\n\n\n\n\n\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com.\n*  Rate limiting bypasses, race conditions, and concurrency-related findings are considered out of scope unless they demonstrate a significant and tangible security impact. Minor over-utilization of features through concurrent requests — such as exceeding a soft usage limit (e.g., triggering additional PDF conversions beyond the intended threshold) — does not constitute a valid security vulnerability, as the associated risk is accepted within our current threat model. \n\n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n- Reports solely based on an LLM generating misleading, or factually incorrect content in response to user prompts are out of scope, unless the behavior demonstrates a clear and reproducible security impact (e.g., unauthorized access, data exposure, or policy bypass).\n\n# Program AI Specific Exclusions\n ---------------------------------------------------------------------------------------------------------\nGeneral exclusions: \n- Prompt Influence Without Backend Impact: Prompting techniques (including system-style or instruction-based prompts) that may influence model responses but do not bypass backend authorization checks, access restricted data, or alter enforced system behavior. (e.g a prompt injection disclosing generic guidelines followed by any model)\n- Role Confusion Without Unauthorized Disclosure: Role ambiguity or role-play behavior that does not lead to disclosure of internal system prompts, policies, secrets, credentials, or other non-public information.\n- Model Response Deviation Without Security Control Bypass: Divergence, hallucinations, or deviations from expected safety or response behavior that do not bypass security controls, enforcement mechanisms, or trust boundaries.\n- LLM Interpretation and Reasoning Limitations: Known limitations in LLMs related to intent inference, semantic understanding, visual interpretation, or trust-boundary assumptions where no exploitability or security impact is demonstrated.\n\nProduct specific exclusions:\n- Photoshop:  Any vulnerabilities associated with the AI Features’ usage limits on the free tier are considered out of scope. \n\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-19T16:37:16.318Z"},{"id":3771390,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Eligible AI Vulnerabilities](#user-content-eligible-ai-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [AI Scope Overview](#user-content-ai-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Program AI Specific Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n* If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Eligible AI Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the eligible AI application vulnerabilities listed below, along with other similar vulnerabilities. Before submitting any finding, please review the **Program AI Specific Exclusions** for out-of-scope vulnerabilities.\n\n| Vulnerability Category | Vulnerability Examples | Scenario Examples | Desired Impact | \n|----------|----------|----------|----------|\n| Generative AI Vulnerabilities |  Cross- Prompt Injection Attacks (XPIA) - embeds adversarial instructions within third-party content that the AI system retrieves and processes | An attacker uploads a corporate logo with manipulated EXIF/IPTC metadata to inject malicious instructions. | data exfiltration, privilege escalation, jailbreaking of safety guardrails, credential theft, unauthorized actions through tool use, and content manipulation |\n| Agentic AI Vulnerabilities | Unauthorized API Calls, Tool chaining attacks, Parameter injection, Authentication and Authorization issues | An agent with file read, file write, and web request tools can be manipulated to read sensitive files, encode them, and POST to external servers, none of which individually appears malicious. | data exfiltration, privilege escalation, persistent backdoor |\n| MCP Vulnerabilities | Compromised MCP Servers, Context poisoning via MCP, Tool Response Manipulation,  MCP Protocol Exploits, Unauthorized MCP Server Discovery | Compromise DNS to redirect MCP client connections to malicious servers with similar names. | data exposure, unauthorized tool execution, cross-tenant access, prompt injection leading to real-world actions  | Training Data Vulnerabilities | Backdoor Injection, Training data memorization, Poisoned Pre-trained models, Infrastructure compromise | Attacker can determine whether specific sensitive data was included in the model’s training dataset. | privacy violations, confidential data exposure, model integrity compromise, unauthorized dataset disclosure |\n| Model-Level Vulnerabilities | Model backdoors and trojans | Poisoning training data with triggered examples in order to cause specific incorrect predictions. | targeted misclassification, data exfiltration, jailbreaking |\n| Supply Chain Vulnerabilities |   | | |\n\n\n\n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# AI Scope Overview\n -------------------------------------------------------------------------------------------------------------\n**Important:** Please monitor this AI Asset list, as it is subject to updates.\n\n| AI Target | Enabled on | Details | \n|----------|----------|----------|\n| Acrobat AI Assistant | acrobat.adobe.com | AI Assistant allows you to engage in intelligent, context-aware conversations about your documents. |\n| Acrobat PDF Spaces | acrobat.adobe.com | PDF Spaces allow you to add multiple files and links, get AI-powered insights, and organize your research in one conversational knowledge hub. It uses the added files and links to generate summaries, answer questions, and surface key insights. More info: https://helpx.adobe.com/acrobat/web/explore-pdf-spaces/create-pdf-spaces.html |\n| Acrobat Create Presentations | acrobat.adobe.com |  The Generate presentation tool in Adobe Acrobat uses generative AI and Adobe Express design capabilities to build structured, ready-to-edit presentations from simple prompts or existing documents. More info: https://helpx.adobe.com/acrobat/web/create-pdfs/create-presentations/overview.html |\n| Acrobat Create Podcast | acrobat.adobe.com | Create podcast feature in Acrobat turns almost any document or PDF Space into a quick, engaging audio overview, ideal for fast learning, hands‑free review, or accessible listening. More info: https://helpx.adobe.com/acrobat/web/use-acrobat-ai/podcasts/create-podcast.html |\n| Express AI Assistant | new.express.adobe.com | AI Assistant helps you explore, create, and edit content using prompts. More info: https://helpx.adobe.com/express/web/ai-assistant/adobe-express-ai-assistant-overview.html |\n| Firefly Image Models | firefly.adobe.com | Create visually captivating content by generating images from simple text descriptions. More info: https://helpx.adobe.com/firefly/web/generate-images-with-text-to-image/generate-images-using-text-prompts/create-images-from-text-prompts.html |\n| Firefly Video Model | firefly.adobe.com |  Firefly Video model helps you to generate videos and add them to the timeline in Firefly video editor. More info: https://helpx.adobe.com/firefly/web/firefly-video-editor/generate-videos/generate-video-using-firefly-models.html |\n| Lightroom AI Edits  | lightroom.adobe.com | Open and edit a photo using the following AI-powered features: Generative Remove, Lens Blur, Adaptive Profile, Masking. More info: https://helpx.adobe.com/ro/lightroom-cc/web/edit-photos/manage-ai-edits.html  |\n| Lightroom \"Edit suggestions\" Tech preview | lightroom.adobe.com | This AI feature can suggest you adjustments like: exposure and contrast fixes, color corrections (white balance, vibrance), tone and lighting improvements, preset-style enhancements and apply these suggestions with one click. |\n| Photoshop AI Assistant | photoshop.adobe.com | AI Assistant helps you to perform specific edits to enhance the images. More info:  https://helpx.adobe.com/photoshop/web/edit-images/retouch/edit-images-with-ai-assistant.html |\n| Stock Customize  | stock.adobe.com | AI-powered Customize makes searching and evaluating your stock content easy. It helps you speed up your workflow when you make edits to single or multiple images and view your search history, all in one place. More info: https://helpx.adobe.com/stock/how-to/refine-your-search-with-customize1.html |\n\n\n\n\n\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com.\n*  Rate limiting bypasses, race conditions, and concurrency-related findings are considered out of scope unless they demonstrate a significant and tangible security impact. Minor over-utilization of features through concurrent requests — such as exceeding a soft usage limit (e.g., triggering additional PDF conversions beyond the intended threshold) — does not constitute a valid security vulnerability, as the associated risk is accepted within our current threat model. \n\n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n- Reports solely based on an LLM generating misleading, or factually incorrect content in response to user prompts are out of scope, unless the behavior demonstrates a clear and reproducible security impact (e.g., unauthorized access, data exposure, or policy bypass).\n\n# Program AI Specific Exclusions\n ---------------------------------------------------------------------------------------------------------\nGeneral exclusions: \n- Prompt Influence Without Backend Impact: Prompting techniques (including system-style or instruction-based prompts) that may influence model responses but do not bypass backend authorization checks, access restricted data, or alter enforced system behavior. (e.g a prompt injection disclosing generic guidelines followed by any model)\n- Role Confusion Without Unauthorized Disclosure: Role ambiguity or role-play behavior that does not lead to disclosure of internal system prompts, policies, secrets, credentials, or other non-public information.\n- Model Response Deviation Without Security Control Bypass: Divergence, hallucinations, or deviations from expected safety or response behavior that do not bypass security controls, enforcement mechanisms, or trust boundaries.\n- LLM Interpretation and Reasoning Limitations: Known limitations in LLMs related to intent inference, semantic understanding, visual interpretation, or trust-boundary assumptions where no exploitability or security impact is demonstrated.\n\nProduct specific exclusions:\n- Photoshop:  Any vulnerabilities associated with the AI Features’ usage limits on the free tier are considered out of scope. \n\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-19T16:23:21.164Z"},{"id":3771389,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Eligible AI Vulnerabilities](#user-content-eligible-ai-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [AI Scope Overview](#user-content-ai-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Program AI Specific Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n* If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Eligible AI Vulnerabilities (in progress) \n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the eligible AI application vulnerabilities listed below, along with other similar vulnerabilities. Before submitting any finding, please review the **Program AI Specific Exclusions** for out-of-scope vulnerabilities.\n\n| Vulnerability Category | Vulnerability Examples | Scenario Examples | Desired Impact | \n|----------|----------|----------|----------|\n| Generative AI Vulnerabilities |  Cross- Prompt Injection Attacks (XPIA) - embeds adversarial instructions within third-party content that the AI system retrieves and processes | An attacker uploads a corporate logo with manipulated EXIF/IPTC metadata to inject malicious instructions. | data exfiltration, privilege escalation, jailbreaking of safety guardrails, credential theft, unauthorized actions through tool use, and content manipulation |\n| Agentic AI Vulnerabilities | Unauthorized API Calls, Tool chaining attacks, Parameter injection, Authentication and Authorization issues | An agent with file read, file write, and web request tools can be manipulated to read sensitive files, encode them, and POST to external servers, none of which individually appears malicious. | data exfiltration, privilege escalation, persistent backdoor |\n| MCP Vulnerabilities | Compromised MCP Servers, Context poisoning via MCP, Tool Response Manipulation,  MCP Protocol Exploits, Unauthorized MCP Server Discovery | Compromise DNS to redirect MCP client connections to malicious servers with similar names. | data exposure, unauthorized tool execution, cross-tenant access, prompt injection leading to real-world actions  | Training Data Vulnerabilities | Backdoor Injection, Training data memorization, Poisoned Pre-trained models, Infrastructure compromise | Attacker can determine whether specific sensitive data was included in the model’s training dataset. | privacy violations, confidential data exposure, model integrity compromise, unauthorized dataset disclosure |\n| Model-Level Vulnerabilities |   | | |\n| Supply Chain Vulnerabilities |   | | |\n\n\n\n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# AI Scope Overview\n -------------------------------------------------------------------------------------------------------------\n**Important:** Please monitor this AI Asset list, as it is subject to updates.\n\n| AI Target | Enabled on | Details | \n|----------|----------|----------|\n| Acrobat AI Assistant | acrobat.adobe.com | AI Assistant allows you to engage in intelligent, context-aware conversations about your documents. |\n| Acrobat PDF Spaces | acrobat.adobe.com | PDF Spaces allow you to add multiple files and links, get AI-powered insights, and organize your research in one conversational knowledge hub. It uses the added files and links to generate summaries, answer questions, and surface key insights. More info: https://helpx.adobe.com/acrobat/web/explore-pdf-spaces/create-pdf-spaces.html |\n| Acrobat Create Presentations | acrobat.adobe.com |  The Generate presentation tool in Adobe Acrobat uses generative AI and Adobe Express design capabilities to build structured, ready-to-edit presentations from simple prompts or existing documents. More info: https://helpx.adobe.com/acrobat/web/create-pdfs/create-presentations/overview.html |\n| Acrobat Create Podcast | acrobat.adobe.com | Create podcast feature in Acrobat turns almost any document or PDF Space into a quick, engaging audio overview, ideal for fast learning, hands‑free review, or accessible listening. More info: https://helpx.adobe.com/acrobat/web/use-acrobat-ai/podcasts/create-podcast.html |\n| Express AI Assistant | new.express.adobe.com | AI Assistant helps you explore, create, and edit content using prompts. More info: https://helpx.adobe.com/express/web/ai-assistant/adobe-express-ai-assistant-overview.html |\n| Firefly Image Models | firefly.adobe.com | Create visually captivating content by generating images from simple text descriptions. More info: https://helpx.adobe.com/firefly/web/generate-images-with-text-to-image/generate-images-using-text-prompts/create-images-from-text-prompts.html |\n| Firefly Video Model | firefly.adobe.com |  Firefly Video model helps you to generate videos and add them to the timeline in Firefly video editor. More info: https://helpx.adobe.com/firefly/web/firefly-video-editor/generate-videos/generate-video-using-firefly-models.html |\n| Lightroom AI Edits  | lightroom.adobe.com | Open and edit a photo using the following AI-powered features: Generative Remove, Lens Blur, Adaptive Profile, Masking. More info: https://helpx.adobe.com/ro/lightroom-cc/web/edit-photos/manage-ai-edits.html  |\n| Lightroom \"Edit suggestions\" Tech preview | lightroom.adobe.com | This AI feature can suggest you adjustments like: exposure and contrast fixes, color corrections (white balance, vibrance), tone and lighting improvements, preset-style enhancements and apply these suggestions with one click. |\n| Photoshop AI Assistant | photoshop.adobe.com | AI Assistant helps you to perform specific edits to enhance the images. More info:  https://helpx.adobe.com/photoshop/web/edit-images/retouch/edit-images-with-ai-assistant.html |\n| Stock Customize  | stock.adobe.com | AI-powered Customize makes searching and evaluating your stock content easy. It helps you speed up your workflow when you make edits to single or multiple images and view your search history, all in one place. More info: https://helpx.adobe.com/stock/how-to/refine-your-search-with-customize1.html |\n\n\n\n\n\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com.\n*  Rate limiting bypasses, race conditions, and concurrency-related findings are considered out of scope unless they demonstrate a significant and tangible security impact. Minor over-utilization of features through concurrent requests — such as exceeding a soft usage limit (e.g., triggering additional PDF conversions beyond the intended threshold) — does not constitute a valid security vulnerability, as the associated risk is accepted within our current threat model. \n\n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n- Reports solely based on an LLM generating misleading, or factually incorrect content in response to user prompts are out of scope, unless the behavior demonstrates a clear and reproducible security impact (e.g., unauthorized access, data exposure, or policy bypass).\n\n# Program AI Specific Exclusions\n ---------------------------------------------------------------------------------------------------------\nGeneral exclusions: \n- Prompt Influence Without Backend Impact: Prompting techniques (including system-style or instruction-based prompts) that may influence model responses but do not bypass backend authorization checks, access restricted data, or alter enforced system behavior. (e.g a prompt injection disclosing generic guidelines followed by any model)\n- Role Confusion Without Unauthorized Disclosure: Role ambiguity or role-play behavior that does not lead to disclosure of internal system prompts, policies, secrets, credentials, or other non-public information.\n- Model Response Deviation Without Security Control Bypass: Divergence, hallucinations, or deviations from expected safety or response behavior that do not bypass security controls, enforcement mechanisms, or trust boundaries.\n- LLM Interpretation and Reasoning Limitations: Known limitations in LLMs related to intent inference, semantic understanding, visual interpretation, or trust-boundary assumptions where no exploitability or security impact is demonstrated.\n\nProduct specific exclusions:\n- Photoshop:  Any vulnerabilities associated with the AI Features’ usage limits on the free tier are considered out of scope. \n\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-19T15:05:32.948Z"},{"id":3771388,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Eligible AI Vulnerabilities](#user-content-eligible-ai-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [AI Scope Overview](#user-content-ai-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Program AI Specific Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n* If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Eligible AI Vulnerabilities (in progress) \n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the eligible AI application vulnerabilities listed below, along with other similar vulnerabilities. Before submitting any finding, please review the **Program AI Specific Exclusions** for out-of-scope vulnerabilities.\n\n| Vulnerability Category | Vulnerability Examples | Scenario Examples | Desired Impact | \n|----------|----------|----------|----------|\n| Generative AI Vulnerabilities |  Cross- Prompt Injection Attacks (XPIA) - embeds adversarial instructions within third-party content that the AI system retrieves and processes | An attacker uploads a corporate logo with manipulated EXIF/IPTC metadata to inject malicious instructions. | data exfiltration, privilege escalation, jailbreaking of safety guardrails, credential theft, unauthorized actions through tool use, and content manipulation |\n| Agentic AI Vulnerabilities | Unauthorized API Calls, Tool chaining attacks, Parameter injection, Authentication and Authorization issues | An agent with file read, file write, and web request tools can be manipulated to read sensitive files, encode them, and POST to external servers, none of which individually appears malicious. | data exfiltration, privilege escalation, persistent backdoor |\n| MCP Vulnerabilities | Compromised MCP Servers, Context poisoning via MCP, Tool Response Manipulation,  MCP Protocol Exploits, Unauthorized MCP Server Discovery | Compromise DNS to redirect MCP client connections to malicious servers with similar names. | data exposure, unauthorized tool execution, cross-tenant access, prompt injection leading to real-world actions  | Training Data Vulnerabilities | Backdoor Injection, Training data memorization, Poisoned Pre-trained models, Infrastructure compromise | Attacker can determine whether specific sensitive data was included in the model’s training dataset. | privacy violations, confidential data exposure, model integrity compromise, unauthorized dataset disclosure |\n| Model-Level Vulnerabilities |   | | |\n| Supply Chain Vulnerabilities |   | | |\n\n\n\n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# AI Scope Overview\n -------------------------------------------------------------------------------------------------------------\n| AI Target | Enabled on | Details | \n|----------|----------|----------|\n| Acrobat AI Assistant | acrobat.adobe.com | AI Assistant allows you to engage in intelligent, context-aware conversations about your documents. |\n| Acrobat PDF Spaces | acrobat.adobe.com | PDF Spaces allow you to add multiple files and links, get AI-powered insights, and organize your research in one conversational knowledge hub. It uses the added files and links to generate summaries, answer questions, and surface key insights. More info: https://helpx.adobe.com/acrobat/web/explore-pdf-spaces/create-pdf-spaces.html |\n| Acrobat Create Presentations | acrobat.adobe.com |  The Generate presentation tool in Adobe Acrobat uses generative AI and Adobe Express design capabilities to build structured, ready-to-edit presentations from simple prompts or existing documents. More info: https://helpx.adobe.com/acrobat/web/create-pdfs/create-presentations/overview.html |\n| Acrobat Create Podcast | acrobat.adobe.com | Create podcast feature in Acrobat turns almost any document or PDF Space into a quick, engaging audio overview, ideal for fast learning, hands‑free review, or accessible listening. More info: https://helpx.adobe.com/acrobat/web/use-acrobat-ai/podcasts/create-podcast.html |\n| Express AI Assistant | new.express.adobe.com | AI Assistant helps you explore, create, and edit content using prompts. More info: https://helpx.adobe.com/express/web/ai-assistant/adobe-express-ai-assistant-overview.html |\n| Firefly Image Models | firefly.adobe.com | Create visually captivating content by generating images from simple text descriptions. More info: https://helpx.adobe.com/firefly/web/generate-images-with-text-to-image/generate-images-using-text-prompts/create-images-from-text-prompts.html |\n| Firefly Video Model | firefly.adobe.com |  Firefly Video model helps you to generate videos and add them to the timeline in Firefly video editor. More info: https://helpx.adobe.com/firefly/web/firefly-video-editor/generate-videos/generate-video-using-firefly-models.html |\n| Lightroom AI Edits  | lightroom.adobe.com | Open and edit a photo using the following AI-powered features: Generative Remove, Lens Blur, Adaptive Profile, Masking. More info: https://helpx.adobe.com/ro/lightroom-cc/web/edit-photos/manage-ai-edits.html  |\n| Lightroom \"Edit suggestions\" Tech preview | lightroom.adobe.com | This AI feature can suggest you adjustments like: exposure and contrast fixes, color corrections (white balance, vibrance), tone and lighting improvements, preset-style enhancements and apply these suggestions with one click. |\n| Photoshop AI Assistant | photoshop.adobe.com | AI Assistant helps you to perform specific edits to enhance the images. More info:  https://helpx.adobe.com/photoshop/web/edit-images/retouch/edit-images-with-ai-assistant.html |\n| Stock Customize  | stock.adobe.com | AI-powered Customize makes searching and evaluating your stock content easy. It helps you speed up your workflow when you make edits to single or multiple images and view your search history, all in one place. More info: https://helpx.adobe.com/stock/how-to/refine-your-search-with-customize1.html |\n\n\n\n\n\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com.\n*  Rate limiting bypasses, race conditions, and concurrency-related findings are considered out of scope unless they demonstrate a significant and tangible security impact. Minor over-utilization of features through concurrent requests — such as exceeding a soft usage limit (e.g., triggering additional PDF conversions beyond the intended threshold) — does not constitute a valid security vulnerability, as the associated risk is accepted within our current threat model. \n\n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n- Reports solely based on an LLM generating misleading, or factually incorrect content in response to user prompts are out of scope, unless the behavior demonstrates a clear and reproducible security impact (e.g., unauthorized access, data exposure, or policy bypass).\n\n# Program AI Specific Exclusions\n ---------------------------------------------------------------------------------------------------------\nGeneral exclusions: \n- Prompt Influence Without Backend Impact: Prompting techniques (including system-style or instruction-based prompts) that may influence model responses but do not bypass backend authorization checks, access restricted data, or alter enforced system behavior. (e.g a prompt injection disclosing generic guidelines followed by any model)\n- Role Confusion Without Unauthorized Disclosure: Role ambiguity or role-play behavior that does not lead to disclosure of internal system prompts, policies, secrets, credentials, or other non-public information.\n- Model Response Deviation Without Security Control Bypass: Divergence, hallucinations, or deviations from expected safety or response behavior that do not bypass security controls, enforcement mechanisms, or trust boundaries.\n- LLM Interpretation and Reasoning Limitations: Known limitations in LLMs related to intent inference, semantic understanding, visual interpretation, or trust-boundary assumptions where no exploitability or security impact is demonstrated.\n\nProduct specific exclusions:\n- Photoshop:  Any vulnerabilities associated with the AI Features’ usage limits on the free tier are considered out of scope. \n\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-19T14:36:59.530Z"},{"id":3771383,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Eligible AI Vulnerabilities](#user-content-eligible-ai-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [AI Scope Overview](#user-content-ai-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Program AI Specific Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n* If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Eligible AI Vulnerabilities (in progress) \n ---------------------------------------------------------------------------------------\n| Vulnerability Category | Vulnerability Examples | Scenario Examples | Desired Impact | \n|----------|----------|----------|----------|\n| Generative AI Vulnerabilities |  Cross- Prompt Injection Attacks (XPIA) - embeds adversarial instructions within third-party content that the AI system retrieves and processes | An attacker uploads a corporate logo with manipulated EXIF/IPTC metadata to inject malicious instructions. | data exfiltration, privilege escalation, jailbreaking of safety guardrails, credential theft, unauthorized actions through tool use, and content manipulation |\n| Agentic AI Vulnerabilities | Unauthorized API Calls, Tool chaining attacks, Parameter injection, Authentication and Authorization issues | An agent with file read, file write, and web request tools can be manipulated to read sensitive files, encode them, and POST to external servers, none of which individually appears malicious. | data exfiltration, privilege escalation, persistent backdoor |\n| MCP Vulnerabilities | Compromised MCP Servers, Context poisoning via MCP, Tool Response Manipulation,  MCP Protocol Exploits, Unauthorized MCP Server Discovery | Compromise DNS to redirect MCP client connections to malicious servers with similar names. | data exposure, unauthorized tool execution, cross-tenant access, prompt injection leading to real-world actions  | Training Data Vulnerabilities | Backdoor Injection, Training data memorization, Poisoned Pre-trained models, Infrastructure compromise | Attacker can determine whether specific sensitive data was included in the model’s training dataset. | privacy violations, confidential data exposure, model integrity compromise, unauthorized dataset disclosure |\n| Model-Level Vulnerabilities |   | | |\n| Supply Chain Vulnerabilities |   | | |\n\n\n\n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# AI Scope Overview\n -------------------------------------------------------------------------------------------------------------\n| AI Target | Enabled on | Details | \n|----------|----------|----------|\n| Acrobat AI Assistant | acrobat.adobe.com | AI Assistant allows you to engage in intelligent, context-aware conversations about your documents. |\n| Acrobat PDF Spaces | acrobat.adobe.com | PDF Spaces allow you to add multiple files and links, get AI-powered insights, and organize your research in one conversational knowledge hub. It uses the added files and links to generate summaries, answer questions, and surface key insights. More info: https://helpx.adobe.com/acrobat/web/explore-pdf-spaces/create-pdf-spaces.html |\n| Acrobat Create Presentations | acrobat.adobe.com |  The Generate presentation tool in Adobe Acrobat uses generative AI and Adobe Express design capabilities to build structured, ready-to-edit presentations from simple prompts or existing documents. More info: https://helpx.adobe.com/acrobat/web/create-pdfs/create-presentations/overview.html |\n| Acrobat Create Podcast | acrobat.adobe.com | Create podcast feature in Acrobat turns almost any document or PDF Space into a quick, engaging audio overview, ideal for fast learning, hands‑free review, or accessible listening. More info: https://helpx.adobe.com/acrobat/web/use-acrobat-ai/podcasts/create-podcast.html |\n| Express AI Assistant | new.express.adobe.com | AI Assistant helps you explore, create, and edit content using prompts. More info: https://helpx.adobe.com/express/web/ai-assistant/adobe-express-ai-assistant-overview.html |\n| Firefly Image Models | firefly.adobe.com | Create visually captivating content by generating images from simple text descriptions. More info: https://helpx.adobe.com/firefly/web/generate-images-with-text-to-image/generate-images-using-text-prompts/create-images-from-text-prompts.html |\n| Firefly Video Model | firefly.adobe.com |  Firefly Video model helps you to generate videos and add them to the timeline in Firefly video editor. More info: https://helpx.adobe.com/firefly/web/firefly-video-editor/generate-videos/generate-video-using-firefly-models.html |\n| Lightroom AI Edits  | lightroom.adobe.com | Open and edit a photo using the following AI-powered features: Generative Remove, Lens Blur, Adaptive Profile, Masking. More info: https://helpx.adobe.com/ro/lightroom-cc/web/edit-photos/manage-ai-edits.html  |\n| Lightroom \"Edit suggestions\" Tech preview | lightroom.adobe.com | This AI feature can suggest you adjustments like: exposure and contrast fixes, color corrections (white balance, vibrance), tone and lighting improvements, preset-style enhancements and apply these suggestions with one click. |\n| Photoshop AI Assistant | photoshop.adobe.com | AI Assistant helps you to perform specific edits to enhance the images. More info:  https://helpx.adobe.com/photoshop/web/edit-images/retouch/edit-images-with-ai-assistant.html |\n| Stock Customize  | stock.adobe.com | AI-powered Customize makes searching and evaluating your stock content easy. It helps you speed up your workflow when you make edits to single or multiple images and view your search history, all in one place. More info: https://helpx.adobe.com/stock/how-to/refine-your-search-with-customize1.html |\n\n\n\n\n\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com.\n*  Rate limiting bypasses, race conditions, and concurrency-related findings are considered out of scope unless they demonstrate a significant and tangible security impact. Minor over-utilization of features through concurrent requests — such as exceeding a soft usage limit (e.g., triggering additional PDF conversions beyond the intended threshold) — does not constitute a valid security vulnerability, as the associated risk is accepted within our current threat model. \n\n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n- Reports solely based on an LLM generating misleading, or factually incorrect content in response to user prompts are out of scope, unless the behavior demonstrates a clear and reproducible security impact (e.g., unauthorized access, data exposure, or policy bypass).\n\n# Program AI Specific Exclusions\n ---------------------------------------------------------------------------------------------------------\nGeneral exclusions: \n- Prompt Influence Without Backend Impact: Prompting techniques (including system-style or instruction-based prompts) that may influence model responses but do not bypass backend authorization checks, access restricted data, or alter enforced system behavior. (e.g a prompt injection disclosing generic guidelines followed by any model)\n- Role Confusion Without Unauthorized Disclosure: Role ambiguity or role-play behavior that does not lead to disclosure of internal system prompts, policies, secrets, credentials, or other non-public information.\n- Model Response Deviation Without Security Control Bypass: Divergence, hallucinations, or deviations from expected safety or response behavior that do not bypass security controls, enforcement mechanisms, or trust boundaries.\n- LLM Interpretation and Reasoning Limitations: Known limitations in LLMs related to intent inference, semantic understanding, visual interpretation, or trust-boundary assumptions where no exploitability or security impact is demonstrated.\n\nProduct specific exclusions:\n- Photoshop:  Any vulnerabilities associated with the AI Features’ usage limits on the free tier are considered out of scope. \n\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-19T14:17:32.305Z"},{"id":3771338,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Eligible AI Vulnerabilities](#user-content-eligible-ai-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [AI Scope Overview](#user-content-ai-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Program AI Specific Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n* If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Eligible AI Vulnerabilities (in progress) \n ---------------------------------------------------------------------------------------\n| Vulnerability Category | Vulnerability Examples | Scenario Examples | Desired Impact | \n|----------|----------|----------|----------|\n| Generative AI Vulnerabilities |  Cross- Prompt Injection Attacks (XPIA) - embeds adversarial instructions within third-party content that the AI system retrieves and processes | An attacker uploads a corporate logo with manipulated EXIF/IPTC metadata to inject malicious instructions. | data exfiltration, privilege escalation, jailbreaking of safety guardrails, credential theft, unauthorized actions through tool use, and content manipulation |\n| Agentic AI Vulnerabilities |  * Unauthorized API Calls  * Tool chaining attacks  * Parameter injection  * Authentication and Authorization issues | An agent with file read, file write, and web request tools can be manipulated to read sensitive files, encode them, and POST to external servers, none of which individually appears malicious. | data exfiltration, privilege escalation, persistent backdoor |\n| MCP Vulnerabilities |  * Compromised MCP Servers  * Context poisoning via MCP  * Tool Response Manipulation  * MCP Protocol Exploits  * Unauthorized MCP Server Discovery | Compromise DNS to redirect MCP client connections to malicious servers with similar names. | data exposure, unauthorized tool execution, cross-tenant access, prompt injection leading to real-world actions  | Training Data Vulnerabilities | * Backdoor Injection  *Training data memorization  *Poisoned Pre-trained models  * Infrastructure compromise | Attacker can determine whether specific sensitive data was included in the model’s training dataset. | privacy violations, confidential data exposure, model integrity compromise, unauthorized dataset disclosure |\n| Model-Level Vulnerabilities |  | | |\n| Supply Chain Vulnerabilities | | | |\n\n\n\n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# AI Scope Overview\n -------------------------------------------------------------------------------------------------------------\n| AI Target | Enabled on | Details | \n|----------|----------|----------|\n| Acrobat AI Assistant | acrobat.adobe.com | AI Assistant allows you to engage in intelligent, context-aware conversations about your documents. |\n| Acrobat PDF Spaces | acrobat.adobe.com | PDF Spaces allow you to add multiple files and links, get AI-powered insights, and organize your research in one conversational knowledge hub. It uses the added files and links to generate summaries, answer questions, and surface key insights. More info: https://helpx.adobe.com/acrobat/web/explore-pdf-spaces/create-pdf-spaces.html |\n| Acrobat Create Presentations | acrobat.adobe.com |  The Generate presentation tool in Adobe Acrobat uses generative AI and Adobe Express design capabilities to build structured, ready-to-edit presentations from simple prompts or existing documents. More info: https://helpx.adobe.com/acrobat/web/create-pdfs/create-presentations/overview.html |\n| Acrobat Create Podcast | acrobat.adobe.com | Create podcast feature in Acrobat turns almost any document or PDF Space into a quick, engaging audio overview, ideal for fast learning, hands‑free review, or accessible listening. More info: https://helpx.adobe.com/acrobat/web/use-acrobat-ai/podcasts/create-podcast.html |\n| Express AI Assistant | new.express.adobe.com | AI Assistant helps you explore, create, and edit content using prompts. More info: https://helpx.adobe.com/express/web/ai-assistant/adobe-express-ai-assistant-overview.html |\n| Firefly Image Models | firefly.adobe.com | Create visually captivating content by generating images from simple text descriptions. More info: https://helpx.adobe.com/firefly/web/generate-images-with-text-to-image/generate-images-using-text-prompts/create-images-from-text-prompts.html |\n| Firefly Video Model | firefly.adobe.com |  Firefly Video model helps you to generate videos and add them to the timeline in Firefly video editor. More info: https://helpx.adobe.com/firefly/web/firefly-video-editor/generate-videos/generate-video-using-firefly-models.html |\n| Lightroom AI Edits  | lightroom.adobe.com | Open and edit a photo using the following AI-powered features: Generative Remove, Lens Blur, Adaptive Profile, Masking. More info: https://helpx.adobe.com/ro/lightroom-cc/web/edit-photos/manage-ai-edits.html  |\n| Lightroom \"Edit suggestions\" Tech preview | lightroom.adobe.com | This AI feature can suggest you adjustments like: exposure and contrast fixes, color corrections (white balance, vibrance), tone and lighting improvements, preset-style enhancements and apply these suggestions with one click. |\n| Photoshop AI Assistant | photoshop.adobe.com | AI Assistant helps you to perform specific edits to enhance the images. More info:  https://helpx.adobe.com/photoshop/web/edit-images/retouch/edit-images-with-ai-assistant.html |\n| Stock Customize  | stock.adobe.com | AI-powered Customize makes searching and evaluating your stock content easy. It helps you speed up your workflow when you make edits to single or multiple images and view your search history, all in one place. More info: https://helpx.adobe.com/stock/how-to/refine-your-search-with-customize1.html |\n\n\n\n\n\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com.\n*  Rate limiting bypasses, race conditions, and concurrency-related findings are considered out of scope unless they demonstrate a significant and tangible security impact. Minor over-utilization of features through concurrent requests — such as exceeding a soft usage limit (e.g., triggering additional PDF conversions beyond the intended threshold) — does not constitute a valid security vulnerability, as the associated risk is accepted within our current threat model. \n\n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n- Reports solely based on an LLM generating misleading, or factually incorrect content in response to user prompts are out of scope, unless the behavior demonstrates a clear and reproducible security impact (e.g., unauthorized access, data exposure, or policy bypass).\n\n# Program AI Specific Exclusions\n ---------------------------------------------------------------------------------------------------------\nGeneral exclusions: \n- Prompt Influence Without Backend Impact: Prompting techniques (including system-style or instruction-based prompts) that may influence model responses but do not bypass backend authorization checks, access restricted data, or alter enforced system behavior. (e.g a prompt injection disclosing generic guidelines followed by any model)\n- Role Confusion Without Unauthorized Disclosure: Role ambiguity or role-play behavior that does not lead to disclosure of internal system prompts, policies, secrets, credentials, or other non-public information.\n- Model Response Deviation Without Security Control Bypass: Divergence, hallucinations, or deviations from expected safety or response behavior that do not bypass security controls, enforcement mechanisms, or trust boundaries.\n- LLM Interpretation and Reasoning Limitations: Known limitations in LLMs related to intent inference, semantic understanding, visual interpretation, or trust-boundary assumptions where no exploitability or security impact is demonstrated.\n\nProduct specific exclusions:\n- Photoshop:  Any vulnerabilities associated with the AI Features’ usage limits on the free tier are considered out of scope. \n\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-18T17:33:28.197Z"},{"id":3771334,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Eligible AI Vulnerabilities](#user-content-eligible-ai-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [AI Scope Overview](#user-content-ai-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Program AI Specific Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n* If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Eligible AI Vulnerabilities (in progress) \n ---------------------------------------------------------------------------------------\n| Vulnerability Category | Vulnerability Examples | Scenario Examples | Desired Impact | \n|----------|----------|----------|----------|\n| Generative AI Vulnerabilities |  Cross- Prompt Injection Attacks (XPIA) - embeds adversarial instructions within third-party content that the AI system retrieves and processes | An attacker uploads a corporate logo with manipulated EXIF/IPTC metadata to inject malicious instructions. | data exfiltration, privilege escalation, jailbreaking of safety guardrails, credential theft, unauthorized actions through tool use, and content manipulation |\n| Agentic AI Vulnerabilities |  * Unauthorized API Calls  * Tool chaining attacks  * Parameter injection  * Authentication and Authorization issues | An agent with file read, file write, and web request tools can be manipulated to read sensitive files, encode them, and POST to external servers, none of which individually appears malicious. | data exfiltration, privilege escalation, persistent backdoor |\n| MCP Vulnerabilities |  * Compromised MCP Servers  * Context poisoning via MCP  * Tool Response Manipulation  * MCP Protocol Exploits  * Unauthorized MCP Server Discovery | Compromise DNS to redirect MCP client connections to malicious servers with similar names. | data exposure, unauthorized tool execution, cross-tenant access, prompt injection leading to real-world actions  | Training Data Vulnerabilities | * Backdoor Injection  *Training data memorization  *Poisoned Pre-trained models  * Infrastructure compromise | Attacker can determine whether specific sensitive data was included in the model’s training dataset. | privacy violations, confidential data exposure, model integrity compromise, unauthorized dataset disclosure |\n|  \n\n\n\n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# AI Scope Overview\n -------------------------------------------------------------------------------------------------------------\n| AI Target | Enabled on | Details | \n|----------|----------|----------|\n| Acrobat AI Assistant | acrobat.adobe.com | AI Assistant allows you to engage in intelligent, context-aware conversations about your documents. |\n| Acrobat PDF Spaces | acrobat.adobe.com | PDF Spaces allow you to add multiple files and links, get AI-powered insights, and organize your research in one conversational knowledge hub. It uses the added files and links to generate summaries, answer questions, and surface key insights. More info: https://helpx.adobe.com/acrobat/web/explore-pdf-spaces/create-pdf-spaces.html |\n| Acrobat Create Presentations | acrobat.adobe.com |  The Generate presentation tool in Adobe Acrobat uses generative AI and Adobe Express design capabilities to build structured, ready-to-edit presentations from simple prompts or existing documents. More info: https://helpx.adobe.com/acrobat/web/create-pdfs/create-presentations/overview.html |\n| Acrobat Create Podcast | acrobat.adobe.com | Create podcast feature in Acrobat turns almost any document or PDF Space into a quick, engaging audio overview, ideal for fast learning, hands‑free review, or accessible listening. More info: https://helpx.adobe.com/acrobat/web/use-acrobat-ai/podcasts/create-podcast.html |\n| Express AI Assistant | new.express.adobe.com | AI Assistant helps you explore, create, and edit content using prompts. More info: https://helpx.adobe.com/express/web/ai-assistant/adobe-express-ai-assistant-overview.html |\n| Firefly Image Models | firefly.adobe.com | Create visually captivating content by generating images from simple text descriptions. More info: https://helpx.adobe.com/firefly/web/generate-images-with-text-to-image/generate-images-using-text-prompts/create-images-from-text-prompts.html |\n| Firefly Video Model | firefly.adobe.com |  Firefly Video model helps you to generate videos and add them to the timeline in Firefly video editor. More info: https://helpx.adobe.com/firefly/web/firefly-video-editor/generate-videos/generate-video-using-firefly-models.html |\n| Lightroom AI Edits  | lightroom.adobe.com | Open and edit a photo using the following AI-powered features: Generative Remove, Lens Blur, Adaptive Profile, Masking. More info: https://helpx.adobe.com/ro/lightroom-cc/web/edit-photos/manage-ai-edits.html  |\n| Lightroom \"Edit suggestions\" Tech preview | lightroom.adobe.com | This AI feature can suggest you adjustments like: exposure and contrast fixes, color corrections (white balance, vibrance), tone and lighting improvements, preset-style enhancements and apply these suggestions with one click. |\n| Photoshop AI Assistant | photoshop.adobe.com | AI Assistant helps you to perform specific edits to enhance the images. More info:  https://helpx.adobe.com/photoshop/web/edit-images/retouch/edit-images-with-ai-assistant.html |\n| Stock Customize  | stock.adobe.com | AI-powered Customize makes searching and evaluating your stock content easy. It helps you speed up your workflow when you make edits to single or multiple images and view your search history, all in one place. More info: https://helpx.adobe.com/stock/how-to/refine-your-search-with-customize1.html |\n\n\n\n\n\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com.\n*  Rate limiting bypasses, race conditions, and concurrency-related findings are considered out of scope unless they demonstrate a significant and tangible security impact. Minor over-utilization of features through concurrent requests — such as exceeding a soft usage limit (e.g., triggering additional PDF conversions beyond the intended threshold) — does not constitute a valid security vulnerability, as the associated risk is accepted within our current threat model. \n\n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n- Reports solely based on an LLM generating misleading, or factually incorrect content in response to user prompts are out of scope, unless the behavior demonstrates a clear and reproducible security impact (e.g., unauthorized access, data exposure, or policy bypass).\n\n# Program AI Specific Exclusions\n ---------------------------------------------------------------------------------------------------------\nGeneral exclusions: \n- Prompt Influence Without Backend Impact: Prompting techniques (including system-style or instruction-based prompts) that may influence model responses but do not bypass backend authorization checks, access restricted data, or alter enforced system behavior. (e.g a prompt injection disclosing generic guidelines followed by any model)\n- Role Confusion Without Unauthorized Disclosure: Role ambiguity or role-play behavior that does not lead to disclosure of internal system prompts, policies, secrets, credentials, or other non-public information.\n- Model Response Deviation Without Security Control Bypass: Divergence, hallucinations, or deviations from expected safety or response behavior that do not bypass security controls, enforcement mechanisms, or trust boundaries.\n- LLM Interpretation and Reasoning Limitations: Known limitations in LLMs related to intent inference, semantic understanding, visual interpretation, or trust-boundary assumptions where no exploitability or security impact is demonstrated.\n\nProduct specific exclusions:\n- Photoshop:  Any vulnerabilities associated with the AI Features’ usage limits on the free tier are considered out of scope. \n\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-18T17:12:15.274Z"},{"id":3771332,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Eligible AI Vulnerabilities](#user-content-eligible-ai-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [AI Scope Overview](#user-content-ai-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Program AI Specific Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n* If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Eligible AI Vulnerabilities (in progress) \n ---------------------------------------------------------------------------------------\n| Vulnerability Category | Vulnerability Examples | Scenario Examples | Desired Impact | \n|----------|----------|----------|----------|\n| Generative AI Vulnerabilities |  Cross- Prompt Injection Attacks (XPIA) - embeds adversarial instructions within third-party content that the AI system retrieves and processes | An attacker uploads a corporate logo with manipulated EXIF/IPTC metadata to inject malicious instructions. | data exfiltration, privilege escalation, jailbreaking of safety guardrails, credential theft, unauthorized actions through tool use, and content manipulation |\n| Agentic AI Vulnerabilities |  * Unauthorized API Calls  * Tool chaining attacks  * Parameter injection  * Authentication and Authorization issues | An agent with file read, file write, and web request tools can be manipulated to read sensitive files, encode them, and POST to external servers, none of which individually appears malicious. | data exfiltration, privilege escalation, persistent backdoor |\n| MCP Vulnerabilities |  * Compromised MCP Servers  * Context poisoning via MCP  * Tool Response Manipulation  * MCP Protocol Exploits  * Unauthorized MCP Server Discovery | Compromise DNS to redirect MCP client connections to malicious servers with similar names. | data exposure, unauthorized tool execution, cross-tenant access, prompt injection leading to real-world actions  | Training Data Vulnerabilities | * Backdoor Injection  *Training data memorization  *Poisoned Pre-trained models  * Infrastructure compromise | Attacker can determine whether specific sensitive data was included in the model’s training dataset. | privacy violations, confidential data exposure, model integrity compromise, unauthorized dataset disclosure |\n|  \n\n\n\n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# AI Scope Overview\n -------------------------------------------------------------------------------------------------------------\n| AI Target | Enabled on | Details | \n|----------|----------|----------|\n| Acrobat AI Assistant | acrobat.adobe.com | AI Assistant allows you to engage in intelligent, context-aware conversations about your documents. |\n| Acrobat PDF Spaces | acrobat.adobe.com | PDF Spaces allow you to add multiple files and links, get AI-powered insights, and organize your research in one conversational knowledge hub. It uses the added files and links to generate summaries, answer questions, and surface key insights. More info: https://helpx.adobe.com/acrobat/web/explore-pdf-spaces/create-pdf-spaces.html |\n| Acrobat Create Presentations | acrobat.adobe.com |  The Generate presentation tool in Adobe Acrobat uses generative AI and Adobe Express design capabilities to build structured, ready-to-edit presentations from simple prompts or existing documents. More info: https://helpx.adobe.com/acrobat/web/create-pdfs/create-presentations/overview.html |\n| Acrobat Create Podcast | acrobat.adobe.com | Create podcast feature in Acrobat turns almost any document or PDF Space into a quick, engaging audio overview, ideal for fast learning, hands‑free review, or accessible listening. More info: https://helpx.adobe.com/acrobat/web/use-acrobat-ai/podcasts/create-podcast.html |\n| Express AI Assistant | new.express.adobe.com | AI Assistant helps you explore, create, and edit content using prompts. More info: https://helpx.adobe.com/express/web/ai-assistant/adobe-express-ai-assistant-overview.html |\n| Firefly Image Models | firefly.adobe.com | Create visually captivating content by generating images from simple text descriptions. More info: https://helpx.adobe.com/firefly/web/generate-images-with-text-to-image/generate-images-using-text-prompts/create-images-from-text-prompts.html |\n| Firefly Video Model | firefly.adobe.com |  Firefly Video model helps you to generate videos and add them to the timeline in Firefly video editor. More info: https://helpx.adobe.com/firefly/web/firefly-video-editor/generate-videos/generate-video-using-firefly-models.html |\n| Lightroom AI Edits  | lightroom.adobe.com | Open and edit a photo using the following AI-powered features: Generative Remove, Lens Blur, Adaptive Profile, Masking. More info: https://helpx.adobe.com/ro/lightroom-cc/web/edit-photos/manage-ai-edits.html  |\n| Lightroom \"Edit suggestions\" Tech preview | lightroom.adobe.com | This AI feature can suggest you adjustments like: exposure and contrast fixes, color corrections (white balance, vibrance), tone and lighting improvements, preset-style enhancements and apply these suggestions with one click. |\n| Photoshop AI Assistant | photoshop.adobe.com | AI Assistant helps you to perform specific edits to enhance the images. More info:  https://helpx.adobe.com/photoshop/web/edit-images/retouch/edit-images-with-ai-assistant.html |\n| Stock Customize  | stock.adobe.com | AI-powered Customize makes searching and evaluating your stock content easy. It helps you speed up your workflow when you make edits to single or multiple images and view your search history, all in one place. More info: https://helpx.adobe.com/stock/how-to/refine-your-search-with-customize1.html |\n\n\n\n\n\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com.\n*  Rate limiting bypasses, race conditions, and concurrency-related findings are considered out of scope unless they demonstrate a significant and tangible security impact. Minor over-utilization of features through concurrent requests — such as exceeding a soft usage limit (e.g., triggering additional PDF conversions beyond the intended threshold) — does not constitute a valid security vulnerability, as the associated risk is accepted within our current threat model. \n\n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n- Reports solely based on an LLM generating misleading, or factually incorrect content in response to user prompts are out of scope, unless the behavior demonstrates a clear and reproducible security impact (e.g., unauthorized access, data exposure, or policy bypass).\n\n# Program AI Specific Exclusions\n ---------------------------------------------------------------------------------------------------------\nGeneral exclusions: \n- Prompt Influence Without Backend Impact: Prompting techniques (including system-style or instruction-based prompts) that may influence model responses but do not bypass backend authorization checks, access restricted data, or alter enforced system behavior.\n- Role Confusion Without Unauthorized Disclosure: Role ambiguity or role-play behavior that does not lead to disclosure of internal system prompts, policies, secrets, credentials, or other non-public information.\n- Model Response Deviation Without Security Control Bypass: Divergence, hallucinations, or deviations from expected safety or response behavior that do not bypass security controls, enforcement mechanisms, or trust boundaries.\n- LLM Interpretation and Reasoning Limitations: Known limitations in LLMs related to intent inference, semantic understanding, visual interpretation, or trust-boundary assumptions where no exploitability or security impact is demonstrated.\n\nProduct specific exclusions:\n- Photoshop:  Any vulnerabilities associated with the AI Features’ usage limits on the free tier are considered out of scope. \n\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-18T16:49:41.259Z"},{"id":3771331,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Eligible AI Vulnerabilities](#user-content-eligible-ai-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [AI Scope Overview](#user-content-ai-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Program AI Specific Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n* If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Eligible AI Vulnerabilities (in progress) \n ---------------------------------------------------------------------------------------\n| Vulnerability Category | Vulnerability Examples | Scenario Examples | Desired Impact | \n|----------|----------|----------|----------|\n| Generative AI Vulnerabilities |  Cross- Prompt Injection Attacks (XPIA) - embeds adversarial instructions within third-party content that the AI system retrieves and processes | An attacker uploads a corporate logo with manipulated EXIF/IPTC metadata to inject malicious instructions. | data exfiltration, privilege escalation, jailbreaking of safety guardrails, credential theft, unauthorized actions through tool use, and content manipulation |\n| Agentic AI Vulnerabilities |  * Unauthorized API Calls  * Tool chaining attacks  * Parameter injection  * Authentication and Authorization issues | An agent with file read, file write, and web request tools can be manipulated to read sensitive files, encode them, and POST to external servers, none of which individually appears malicious. | data exfiltration, privilege escalation, persistent backdoor |\n| MCP Vulnerabilities |  * Compromised MCP Servers  * Context poisoning via MCP  * Tool Response Manipulation  * MCP Protocol Exploits  * Unauthorized MCP Server Discovery | Compromise DNS to redirect MCP client connections to malicious servers with similar names. | data exposure, unauthorized tool execution, cross-tenant access, prompt injection leading to real-world actions  | Training Data Vulnerabilities | * Backdoor Injection  *Training data memorization  *Poisoned Pre-trained models  * Infrastructure compromise | Attacker can determine whether specific sensitive data was included in the model’s training dataset. | privacy violations, confidential data exposure, model integrity compromise, unauthorized dataset disclosure |\n|  \n\n\n\n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# AI Scope Overview\n -------------------------------------------------------------------------------------------------------------\n| AI Target | Enabled on | Details | \n|----------|----------|----------|\n| Acrobat AI Assistant | acrobat.adobe.com | AI Assistant allows you to engage in intelligent, context-aware conversations about your documents. |\n| Acrobat PDF Spaces | acrobat.adobe.com | PDF Spaces allow you to add multiple files and links, get AI-powered insights, and organize your research in one conversational knowledge hub. It uses the added files and links to generate summaries, answer questions, and surface key insights. More info: https://helpx.adobe.com/acrobat/web/explore-pdf-spaces/create-pdf-spaces.html |\n| Acrobat Create Presentations | acrobat.adobe.com |  The Generate presentation tool in Adobe Acrobat uses generative AI and Adobe Express design capabilities to build structured, ready-to-edit presentations from simple prompts or existing documents. More info: https://helpx.adobe.com/acrobat/web/create-pdfs/create-presentations/overview.html |\n| Acrobat Create Podcast | acrobat.adobe.com | Create podcast feature in Acrobat turns almost any document or PDF Space into a quick, engaging audio overview, ideal for fast learning, hands‑free review, or accessible listening. More info: https://helpx.adobe.com/acrobat/web/use-acrobat-ai/podcasts/create-podcast.html |\n| Express AI Assistant | new.express.adobe.com | AI Assistant helps you explore, create, and edit content using prompts. More info: https://helpx.adobe.com/express/web/ai-assistant/adobe-express-ai-assistant-overview.html |\n| Firefly Image Models | firefly.adobe.com | Create visually captivating content by generating images from simple text descriptions. More info: https://helpx.adobe.com/firefly/web/generate-images-with-text-to-image/generate-images-using-text-prompts/create-images-from-text-prompts.html |\n| Firefly Video Model | firefly.adobe.com |  Firefly Video model helps you to generate videos and add them to the timeline in Firefly video editor. More info: https://helpx.adobe.com/firefly/web/firefly-video-editor/generate-videos/generate-video-using-firefly-models.html |\n| Lightroom AI Edits  | lightroom.adobe.com | Open and edit a photo using the following AI-powered features: Generative Remove, Lens Blur, Adaptive Profile, Masking. More info: https://helpx.adobe.com/ro/lightroom-cc/web/edit-photos/manage-ai-edits.html  |\n| Lightroom \"Edit suggestions\" Tech preview | lightroom.adobe.com | This AI feature can suggest you adjustments like: exposure and contrast fixes, color corrections (white balance, vibrance), tone and lighting improvements, preset-style enhancements and apply these suggestions with one click. |\n| Photoshop AI Assistant | photoshop.adobe.com | AI Assistant helps you to perform specific edits to enhance the images. More info:  https://helpx.adobe.com/photoshop/web/edit-images/retouch/edit-images-with-ai-assistant.html |\n| Stock Customize  | stock.adobe.com | AI-powered Customize makes searching and evaluating your stock content easy. It helps you speed up your workflow when you make edits to single or multiple images and view your search history, all in one place. More info: https://helpx.adobe.com/stock/how-to/refine-your-search-with-customize1.html |\n\n\n\n\n\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com.\n*  Rate limiting bypasses, race conditions, and concurrency-related findings are considered out of scope unless they demonstrate a significant and tangible security impact. Minor over-utilization of features through concurrent requests — such as exceeding a soft usage limit (e.g., triggering additional PDF conversions beyond the intended threshold) — does not constitute a valid security vulnerability, as the associated risk is accepted within our current threat model. \n\n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n- Reports solely based on an LLM generating misleading, or factually incorrect content in response to user prompts are out of scope, unless the behavior demonstrates a clear and reproducible security impact (e.g., unauthorized access, data exposure, or policy bypass).\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\nGeneral exclusions: \n- Prompt Influence Without Backend Impact: Prompting techniques (including system-style or instruction-based prompts) that may influence model responses but do not bypass backend authorization checks, access restricted data, or alter enforced system behavior.\n- Role Confusion Without Unauthorized Disclosure: Role ambiguity or role-play behavior that does not lead to disclosure of internal system prompts, policies, secrets, credentials, or other non-public information.\n- Model Response Deviation Without Security Control Bypass: Divergence, hallucinations, or deviations from expected safety or response behavior that do not bypass security controls, enforcement mechanisms, or trust boundaries.\n- LLM Interpretation and Reasoning Limitations: Known limitations in LLMs related to intent inference, semantic understanding, visual interpretation, or trust-boundary assumptions where no exploitability or security impact is demonstrated.\n\nProduct specific exclusions:\n- Photoshop: \n\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-18T16:42:43.054Z"},{"id":3771330,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Eligible AI Vulnerabilities](#user-content-eligible-ai-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [AI Scope Overview](#user-content-ai-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Program AI Specific Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n* If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Eligible AI Vulnerabilities (in progress) \n ---------------------------------------------------------------------------------------\n| Vulnerability Category | Vulnerability Examples | Scenario Examples | Desired Impact | \n|----------|----------|----------|----------|\n| Generative AI Vulnerabilities |  Cross- Prompt Injection Attacks (XPIA) - embeds adversarial instructions within third-party content that the AI system retrieves and processes | An attacker uploads a corporate logo with manipulated EXIF/IPTC metadata to inject malicious instructions. | data exfiltration, privilege escalation, jailbreaking of safety guardrails, credential theft, unauthorized actions through tool use, and content manipulation |\n| Agentic AI Vulnerabilities |  * Unauthorized API Calls  * Tool chaining attacks  * Parameter injection  * Authentication and Authorization issues | An agent with file read, file write, and web request tools can be manipulated to read sensitive files, encode them, and POST to external servers, none of which individually appears malicious. | data exfiltration, privilege escalation, persistent backdoor |\n| MCP Vulnerabilities |  * Compromised MCP Servers  * Context poisoning via MCP  * Tool Response Manipulation  * MCP Protocol Exploits  * Unauthorized MCP Server Discovery | Compromise DNS to redirect MCP client connections to malicious servers with similar names. | data exposure, unauthorized tool execution, cross-tenant access, prompt injection leading to real-world actions  | Training Data Vulnerabilities | * Backdoor Injection  *Training data memorization  *Poisoned Pre-trained models  * Infrastructure compromise | Attacker can determine whether specific sensitive data was included in the model’s training dataset. | privacy violations, confidential data exposure, model integrity compromise, unauthorized dataset disclosure |\n|  \n\n\n\n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# AI Scope Overview\n -------------------------------------------------------------------------------------------------------------\n| AI Target | Enabled on | Details | \n|----------|----------|----------|\n| Acrobat AI Assistant | acrobat.adobe.com | AI Assistant allows you to engage in intelligent, context-aware conversations about your documents. |\n| Acrobat PDF Spaces | acrobat.adobe.com | PDF Spaces allow you to add multiple files and links, get AI-powered insights, and organize your research in one conversational knowledge hub. It uses the added files and links to generate summaries, answer questions, and surface key insights. More info: https://helpx.adobe.com/acrobat/web/explore-pdf-spaces/create-pdf-spaces.html |\n| Acrobat Create Presentations | acrobat.adobe.com |  The Generate presentation tool in Adobe Acrobat uses generative AI and Adobe Express design capabilities to build structured, ready-to-edit presentations from simple prompts or existing documents. More info: https://helpx.adobe.com/acrobat/web/create-pdfs/create-presentations/overview.html |\n| Acrobat Create Podcast | acrobat.adobe.com | Create podcast feature in Acrobat turns almost any document or PDF Space into a quick, engaging audio overview, ideal for fast learning, hands‑free review, or accessible listening. More info: https://helpx.adobe.com/acrobat/web/use-acrobat-ai/podcasts/create-podcast.html |\n| Express AI Assistant | new.express.adobe.com | AI Assistant helps you explore, create, and edit content using prompts. More info: https://helpx.adobe.com/express/web/ai-assistant/adobe-express-ai-assistant-overview.html |\n| Firefly Image Models | firefly.adobe.com | Create visually captivating content by generating images from simple text descriptions. More info: https://helpx.adobe.com/firefly/web/generate-images-with-text-to-image/generate-images-using-text-prompts/create-images-from-text-prompts.html |\n| Firefly Video Model | firefly.adobe.com |  Firefly Video model helps you to generate videos and add them to the timeline in Firefly video editor. More info: https://helpx.adobe.com/firefly/web/firefly-video-editor/generate-videos/generate-video-using-firefly-models.html |\n| Lightroom AI Edits  | lightroom.adobe.com | Open and edit a photo using the following AI-powered features: Generative Remove, Lens Blur, Adaptive Profile, Masking. More info: https://helpx.adobe.com/ro/lightroom-cc/web/edit-photos/manage-ai-edits.html  |\n| Lightroom Tech Preview for \"edit suggestions\" | lightroom.adobe.com | |\n| Photoshop AI Assistant | photoshop.adobe.com | AI Assistant helps you to perform specific edits to enhance the images. More info:  https://helpx.adobe.com/photoshop/web/edit-images/retouch/edit-images-with-ai-assistant.html |\n| Stock Customize  | stock.adobe.com | AI-powered Customize makes searching and evaluating your stock content easy. It helps you speed up your workflow when you make edits to single or multiple images and view your search history, all in one place. More info: https://helpx.adobe.com/stock/how-to/refine-your-search-with-customize1.html |\n\n\n\n\n\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com.\n*  Rate limiting bypasses, race conditions, and concurrency-related findings are considered out of scope unless they demonstrate a significant and tangible security impact. Minor over-utilization of features through concurrent requests — such as exceeding a soft usage limit (e.g., triggering additional PDF conversions beyond the intended threshold) — does not constitute a valid security vulnerability, as the associated risk is accepted within our current threat model. \n\n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n- Reports solely based on an LLM generating misleading, or factually incorrect content in response to user prompts are out of scope, unless the behavior demonstrates a clear and reproducible security impact (e.g., unauthorized access, data exposure, or policy bypass).\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\nGeneral exclusions: \n- Prompt Influence Without Backend Impact: Prompting techniques (including system-style or instruction-based prompts) that may influence model responses but do not bypass backend authorization checks, access restricted data, or alter enforced system behavior.\n- Role Confusion Without Unauthorized Disclosure: Role ambiguity or role-play behavior that does not lead to disclosure of internal system prompts, policies, secrets, credentials, or other non-public information.\n- Model Response Deviation Without Security Control Bypass: Divergence, hallucinations, or deviations from expected safety or response behavior that do not bypass security controls, enforcement mechanisms, or trust boundaries.\n- LLM Interpretation and Reasoning Limitations: Known limitations in LLMs related to intent inference, semantic understanding, visual interpretation, or trust-boundary assumptions where no exploitability or security impact is demonstrated.\n\nProduct specific exclusions:\n- Photoshop: \n\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-18T16:17:50.711Z"},{"id":3771329,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Eligible AI Vulnerabilities](#user-content-eligible-ai-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [AI Scope Overview](#user-content-ai-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n* If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Eligible AI Vulnerabilities (in progress) \n ---------------------------------------------------------------------------------------\n| Vulnerability Category | Vulnerability Examples | Scenario Examples | Desired Impact | \n|----------|----------|----------|----------|\n| Generative AI Vulnerabilities |  Cross- Prompt Injection Attacks (XPIA) - embeds adversarial instructions within third-party content that the AI system retrieves and processes | An attacker uploads a corporate logo with manipulated EXIF/IPTC metadata to inject malicious instructions. | data exfiltration, privilege escalation, jailbreaking of safety guardrails, credential theft, unauthorized actions through tool use, and content manipulation |\n| Agentic AI Vulnerabilities |  * Unauthorized API Calls  * Tool chaining attacks  * Parameter injection  * Authentication and Authorization issues | An agent with file read, file write, and web request tools can be manipulated to read sensitive files, encode them, and POST to external servers, none of which individually appears malicious. | data exfiltration, privilege escalation, persistent backdoor |\n| MCP Vulnerabilities |  * Compromised MCP Servers  * Context poisoning via MCP  * Tool Response Manipulation  * MCP Protocol Exploits  * Unauthorized MCP Server Discovery | Compromise DNS to redirect MCP client connections to malicious servers with similar names. | data exposure, unauthorized tool execution, cross-tenant access, prompt injection leading to real-world actions  | Training Data Vulnerabilities | * Backdoor Injection  *Training data memorization  *Poisoned Pre-trained models  * Infrastructure compromise | Attacker can determine whether specific sensitive data was included in the model’s training dataset. | privacy violations, confidential data exposure, model integrity compromise, unauthorized dataset disclosure |\n|  \n\n\n\n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# AI Scope Overview\n -------------------------------------------------------------------------------------------------------------\n| AI Target | Enabled on | Details | \n|----------|----------|----------|\n| Acrobat AI Assistant | acrobat.adobe.com | AI Assistant allows you to engage in intelligent, context-aware conversations about your documents. |\n| Acrobat PDF Spaces | acrobat.adobe.com | PDF Spaces allow you to add multiple files and links, get AI-powered insights, and organize your research in one conversational knowledge hub. It uses the added files and links to generate summaries, answer questions, and surface key insights. More info: https://helpx.adobe.com/acrobat/web/explore-pdf-spaces/create-pdf-spaces.html |\n| Acrobat Create Presentations | acrobat.adobe.com |  The Generate presentation tool in Adobe Acrobat uses generative AI and Adobe Express design capabilities to build structured, ready-to-edit presentations from simple prompts or existing documents. More info: https://helpx.adobe.com/acrobat/web/create-pdfs/create-presentations/overview.html |\n| Acrobat Create Podcast | acrobat.adobe.com | Create podcast feature in Acrobat turns almost any document or PDF Space into a quick, engaging audio overview, ideal for fast learning, hands‑free review, or accessible listening. More info: https://helpx.adobe.com/acrobat/web/use-acrobat-ai/podcasts/create-podcast.html |\n| Express AI Assistant | new.express.adobe.com | AI Assistant helps you explore, create, and edit content using prompts. More info: https://helpx.adobe.com/express/web/ai-assistant/adobe-express-ai-assistant-overview.html |\n| Firefly Image Models | firefly.adobe.com | Create visually captivating content by generating images from simple text descriptions. More info: https://helpx.adobe.com/firefly/web/generate-images-with-text-to-image/generate-images-using-text-prompts/create-images-from-text-prompts.html |\n| Firefly Video Model | firefly.adobe.com |  Firefly Video model helps you to generate videos and add them to the timeline in Firefly video editor. More info: https://helpx.adobe.com/firefly/web/firefly-video-editor/generate-videos/generate-video-using-firefly-models.html |\n| Lightroom AI Edits  | lightroom.adobe.com | Open and edit a photo using the following AI-powered features: Generative Remove, Lens Blur, Adaptive Profile, Masking. More info: https://helpx.adobe.com/ro/lightroom-cc/web/edit-photos/manage-ai-edits.html  |\n| Lightroom Tech Preview for \"edit suggestions\" | lightroom.adobe.com | |\n| Photoshop AI Assistant | photoshop.adobe.com | AI Assistant helps you to perform specific edits to enhance the images. More info:  https://helpx.adobe.com/photoshop/web/edit-images/retouch/edit-images-with-ai-assistant.html |\n| Stock Customize  | stock.adobe.com | AI-powered Customize makes searching and evaluating your stock content easy. It helps you speed up your workflow when you make edits to single or multiple images and view your search history, all in one place. More info: https://helpx.adobe.com/stock/how-to/refine-your-search-with-customize1.html |\n\n\n\n\n\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com.\n*  Rate limiting bypasses, race conditions, and concurrency-related findings are considered out of scope unless they demonstrate a significant and tangible security impact. Minor over-utilization of features through concurrent requests — such as exceeding a soft usage limit (e.g., triggering additional PDF conversions beyond the intended threshold) — does not constitute a valid security vulnerability, as the associated risk is accepted within our current threat model. \n\n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n- Reports solely based on an LLM generating misleading, or factually incorrect content in response to user prompts are out of scope, unless the behavior demonstrates a clear and reproducible security impact (e.g., unauthorized access, data exposure, or policy bypass).\n\n#  Program AI Specific Exclusions \n\nGeneral exclusions: \n- Prompt Influence Without Backend Impact: Prompting techniques (including system-style or instruction-based prompts) that may influence model responses but do not bypass backend authorization checks, access restricted data, or alter enforced system behavior.\n- Role Confusion Without Unauthorized Disclosure: Role ambiguity or role-play behavior that does not lead to disclosure of internal system prompts, policies, secrets, credentials, or other non-public information.\n- Model Response Deviation Without Security Control Bypass: Divergence, hallucinations, or deviations from expected safety or response behavior that do not bypass security controls, enforcement mechanisms, or trust boundaries.\n- LLM Interpretation and Reasoning Limitations: Known limitations in LLMs related to intent inference, semantic understanding, visual interpretation, or trust-boundary assumptions where no exploitability or security impact is demonstrated.\n\nProduct specific exclusions:\n- Photoshop: \n\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-18T16:04:10.896Z"},{"id":3771309,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Eligible AI Vulnerabilities](#user-content-eligible-ai-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [AI Scope Overview](#user-content-ai-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n* If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Eligible AI Vulnerabilities (in progress) \n ---------------------------------------------------------------------------------------\n| Vulnerability Category | Vulnerability Examples | Scenario Examples | Desired Impact | \n|----------|----------|----------|----------|\n| Generative AI Vulnerabilities |  Cross- Prompt Injection Attacks (XPIA) - embeds adversarial instructions within third-party content that the AI system retrieves and processes | An attacker uploads a corporate logo with manipulated EXIF/IPTC metadata to inject malicious instructions. | data exfiltration, privilege escalation, jailbreaking of safety guardrails, credential theft, unauthorized actions through tool use, and content manipulation |\n| Agentic AI Vulnerabilities |  * Unauthorized API Calls  * Tool chaining attacks  * Parameter injection  * Authentication and Authorization issues | An agent with file read, file write, and web request tools can be manipulated to read sensitive files, encode them, and POST to external servers, none of which individually appears malicious. | data exfiltration, privilege escalation, persistent backdoor |\n| MCP Vulnerabilities |  * Compromised MCP Servers  * Context poisoning via MCP  * Tool Response Manipulation  * MCP Protocol Exploits  * Unauthorized MCP Server Discovery | Compromise DNS to redirect MCP client connections to malicious servers with similar names. | data exposure, unauthorized tool execution, cross-tenant access, prompt injection leading to real-world actions  | Training Data Vulnerabilities | * Backdoor Injection  *Training data memorization  *Poisoned Pre-trained models  * Infrastructure compromise | Attacker can determine whether specific sensitive data was included in the model’s training dataset. | privacy violations, confidential data exposure, model integrity compromise, unauthorized dataset disclosure |\n| \n\n\n\n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# AI Scope Overview\n -------------------------------------------------------------------------------------------------------------\n| AI Target | Enabled on | Details | \n|----------|----------|----------|\n| Acrobat AI Assistant | acrobat.adobe.com | AI Assistant allows you to engage in intelligent, context-aware conversations about your documents. |\n| Acrobat PDF Spaces | acrobat.adobe.com | PDF Spaces allow you to add multiple files and links, get AI-powered insights, and organize your research in one conversational knowledge hub. It uses the added files and links to generate summaries, answer questions, and surface key insights. More info: https://helpx.adobe.com/acrobat/web/explore-pdf-spaces/create-pdf-spaces.html |\n| Acrobat Create Presentations | acrobat.adobe.com |  The Generate presentation tool in Adobe Acrobat uses generative AI and Adobe Express design capabilities to build structured, ready-to-edit presentations from simple prompts or existing documents. More info: https://helpx.adobe.com/acrobat/web/create-pdfs/create-presentations/overview.html |\n| Acrobat Create Podcast | acrobat.adobe.com | Create podcast feature in Acrobat turns almost any document or PDF Space into a quick, engaging audio overview, ideal for fast learning, hands‑free review, or accessible listening. More info: https://helpx.adobe.com/acrobat/web/use-acrobat-ai/podcasts/create-podcast.html |\n| Express AI Assistant | new.express.adobe.com | AI Assistant helps you explore, create, and edit content using prompts. More info: https://helpx.adobe.com/express/web/ai-assistant/adobe-express-ai-assistant-overview.html |\n| Firefly Image Models | firefly.adobe.com | Create visually captivating content by generating images from simple text descriptions. More info: https://helpx.adobe.com/firefly/web/generate-images-with-text-to-image/generate-images-using-text-prompts/create-images-from-text-prompts.html |\n| Firefly Video Model | firefly.adobe.com |  Firefly Video model helps you to generate videos and add them to the timeline in Firefly video editor. More info: https://helpx.adobe.com/firefly/web/firefly-video-editor/generate-videos/generate-video-using-firefly-models.html |\n| Lightroom AI Edits  | lightroom.adobe.com | Open and edit a photo using the following AI-powered features: Generative Remove, Lens Blur, Adaptive Profile, Masking. More info: https://helpx.adobe.com/ro/lightroom-cc/web/edit-photos/manage-ai-edits.html  |\n| Lightroom Tech Preview for \"edit suggestions\" | lightroom.adobe.com | |\n| Photoshop AI Assistant | photoshop.adobe.com | AI Assistant helps you to perform specific edits to enhance the images. More info:  https://helpx.adobe.com/photoshop/web/edit-images/retouch/edit-images-with-ai-assistant.html |\n| Stock Customize  | stock.adobe.com | AI-powered Customize makes searching and evaluating your stock content easy. It helps you speed up your workflow when you make edits to single or multiple images and view your search history, all in one place. More info: https://helpx.adobe.com/stock/how-to/refine-your-search-with-customize1.html |\n\n\n\n\n\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com.\n*  Rate limiting bypasses, race conditions, and concurrency-related findings are considered out of scope unless they demonstrate a significant and tangible security impact. Minor over-utilization of features through concurrent requests — such as exceeding a soft usage limit (e.g., triggering additional PDF conversions beyond the intended threshold) — does not constitute a valid security vulnerability, as the associated risk is accepted within our current threat model. \n\n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n- Reports solely based on an LLM generating misleading, or factually incorrect content in response to user prompts are out of scope, unless the behavior demonstrates a clear and reproducible security impact (e.g., unauthorized access, data exposure, or policy bypass).\n\n## Program AI Specific Exclusions \n\n- Prompt Influence Without Backend Impact: Prompting techniques (including system-style or instruction-based prompts) that may influence model responses but do not bypass backend authorization checks, access restricted data, or alter enforced system behavior.\n- Role Confusion Without Unauthorized Disclosure: Role ambiguity or role-play behavior that does not lead to disclosure of internal system prompts, policies, secrets, credentials, or other non-public information.\n- Model Response Deviation Without Security Control Bypass: Divergence, hallucinations, or deviations from expected safety or response behavior that do not bypass security controls, enforcement mechanisms, or trust boundaries.\n- LLM Interpretation and Reasoning Limitations: Known limitations in LLMs related to intent inference, semantic understanding, visual interpretation, or trust-boundary assumptions where no exploitability or security impact is demonstrated.\n\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-18T15:03:21.760Z"},{"id":3771306,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Eligible AI Vulnerabilities](#user-content-eligible-ai-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [AI Scope Overview](#user-content-ai-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n* If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Eligible AI Vulnerabilities (in progress) \n ---------------------------------------------------------------------------------------\n| Vulnerability Category | Vulnerability Examples | Scenario Examples | Desired Impact | \n|----------|----------|----------|----------|\n| Generative AI Vulnerabilities |  Cross- Prompt Injection Attacks (XPIA) - embeds adversarial instructions within third-party content that the AI system retrieves and processes | An attacker uploads a corporate logo with manipulated EXIF/IPTC metadata to inject malicious instructions. | data exfiltration, privilege escalation, jailbreaking of safety guardrails, credential theft, unauthorized actions through tool use, and content manipulation |\n| Agentic AI Vulnerabilities |  * Unauthorized API Calls  * Tool chaining attacks  * Parameter injection  * Authentication and Authorization issues | An agent with file read, file write, and web request tools can be manipulated to read sensitive files, encode them, and POST to external servers, none of which individually appears malicious. | data exfiltration, privilege escalation, persistent backdoor |\n| MCP Vulnerabilities |  * Compromised MCP Servers  * Context poisoning via MCP  * Tool Response Manipulation  * MCP Protocol Exploits  * Unauthorized MCP Server Discovery | Compromise DNS to redirect MCP client connections to malicious servers with similar names. | data exposure, unauthorized tool execution, cross-tenant access, prompt injection leading to real-world actions  | Training Data Vulnerabilities | * Backdoor Injection  *Training data memorization  *Poisoned Pre-trained models  * Infrastructure compromise | Attacker can determine whether specific sensitive data was included in the model’s training dataset. | privacy violations, confidential data exposure, model integrity compromise, unauthorized dataset disclosure |\n| \n\n\n\n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# AI Scope Overview\n -------------------------------------------------------------------------------------------------------------\n| AI Target | Enabled on | Details | \n|----------|----------|----------|\n| Acrobat AI Assistant | acrobat.adobe.com | AI Assistant allows you to engage in intelligent, context-aware conversations about your documents. |\n| Acrobat PDF Spaces | acrobat.adobe.com | PDF Spaces allow you to add multiple files and links, get AI-powered insights, and organize your research in one conversational knowledge hub. It uses the added files and links to generate summaries, answer questions, and surface key insights. More info: https://helpx.adobe.com/acrobat/web/explore-pdf-spaces/create-pdf-spaces.html |\n| Acrobat Create Presentations | acrobat.adobe.com |  The Generate presentation tool in Adobe Acrobat uses generative AI and Adobe Express design capabilities to build structured, ready-to-edit presentations from simple prompts or existing documents. More info: https://helpx.adobe.com/acrobat/web/create-pdfs/create-presentations/overview.html |\n| Acrobat Create Podcast | acrobat.adobe.com | Create podcast feature in Acrobat turns almost any document or PDF Space into a quick, engaging audio overview, ideal for fast learning, hands‑free review, or accessible listening. More info: https://helpx.adobe.com/acrobat/web/use-acrobat-ai/podcasts/create-podcast.html |\n| Express AI Assistant | new.express.adobe.com | AI Assistant helps you explore, create, and edit content using prompts. More info: https://helpx.adobe.com/express/web/ai-assistant/adobe-express-ai-assistant-overview.html |\n| Firefly Image Models | firefly.adobe.com | More info:  |\n| Firefly Video Model | firefly.adobe.com |  Firefly Video model helps you to generate videos and add them to the timeline in Firefly video editor. More info: https://helpx.adobe.com/firefly/web/firefly-video-editor/generate-videos/generate-video-using-firefly-models.html |\n| Lightroom AI Edits  | lightroom.adobe.com | Open and edit a photo using the following AI-powered features: Generative Remove, Lens Blur, Adaptive Profile, Masking. More info: https://helpx.adobe.com/ro/lightroom-cc/web/edit-photos/manage-ai-edits.html  |\n| Lightroom Tech Preview for \"edit suggestions\" | lightroom.adobe.com | |\n| Photoshop AI Assistant | photoshop.adobe.com | AI Assistant helps you to perform specific edits to enhance the images. More info:  https://helpx.adobe.com/photoshop/web/edit-images/retouch/edit-images-with-ai-assistant.html |\n| Stock Customize  | stock.adobe.com | AI-powered Customize makes searching and evaluating your stock content easy. It helps you speed up your workflow when you make edits to single or multiple images and view your search history, all in one place. More info: https://helpx.adobe.com/stock/how-to/refine-your-search-with-customize1.html |\n\n\n\n\n\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com.\n*  Rate limiting bypasses, race conditions, and concurrency-related findings are considered out of scope unless they demonstrate a significant and tangible security impact. Minor over-utilization of features through concurrent requests — such as exceeding a soft usage limit (e.g., triggering additional PDF conversions beyond the intended threshold) — does not constitute a valid security vulnerability, as the associated risk is accepted within our current threat model. \n\n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n- Reports solely based on an LLM generating misleading, or factually incorrect content in response to user prompts are out of scope, unless the behavior demonstrates a clear and reproducible security impact (e.g., unauthorized access, data exposure, or policy bypass).\n\n## Program AI Specific Exclusions \n\n- Prompt Influence Without Backend Impact: Prompting techniques (including system-style or instruction-based prompts) that may influence model responses but do not bypass backend authorization checks, access restricted data, or alter enforced system behavior.\n- Role Confusion Without Unauthorized Disclosure: Role ambiguity or role-play behavior that does not lead to disclosure of internal system prompts, policies, secrets, credentials, or other non-public information.\n- Model Response Deviation Without Security Control Bypass: Divergence, hallucinations, or deviations from expected safety or response behavior that do not bypass security controls, enforcement mechanisms, or trust boundaries.\n- LLM Interpretation and Reasoning Limitations: Known limitations in LLMs related to intent inference, semantic understanding, visual interpretation, or trust-boundary assumptions where no exploitability or security impact is demonstrated.\n\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-18T14:52:46.498Z"},{"id":3771302,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Eligible AI Vulnerabilities](#user-content-eligible-ai-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [AI Scope Overview](#user-content-ai-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n* If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Eligible AI Vulnerabilities (in progress) \n ---------------------------------------------------------------------------------------\n| Vulnerability Category | Vulnerability Examples | Scenario Examples | Desired Impact | \n|----------|----------|----------|----------|\n| Generative AI Vulnerabilities |  Cross- Prompt Injection Attacks (XPIA) - embeds adversarial instructions within third-party content that the AI system retrieves and processes | An attacker uploads a corporate logo with manipulated EXIF/IPTC metadata to inject malicious instructions. | data exfiltration, privilege escalation, jailbreaking of safety guardrails, credential theft, unauthorized actions through tool use, and content manipulation |\n| Agentic AI Vulnerabilities |  * Unauthorized API Calls  * Tool chaining attacks  * Parameter injection  * Authentication and Authorization issues | An agent with file read, file write, and web request tools can be manipulated to read sensitive files, encode them, and POST to external servers, none of which individually appears malicious. | data exfiltration, privilege escalation, persistent backdoor |\n| MCP Vulnerabilities |  * Compromised MCP Servers  * Context poisoning via MCP  * Tool Response Manipulation  * MCP Protocol Exploits  * Unauthorized MCP Server Discovery | Compromise DNS to redirect MCP client connections to malicious servers with similar names. | data exposure, unauthorized tool execution, cross-tenant access, prompt injection leading to real-world actions  | Training Data Vulnerabilities | * Backdoor Injection  *Training data memorization  *Poisoned Pre-trained models  * Infrastructure compromise | Attacker can determine whether specific sensitive data was included in the model’s training dataset. | privacy violations, confidential data exposure, model integrity compromise, unauthorized dataset disclosure |\n| \n\n\n\n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# AI Scope Overview\n -------------------------------------------------------------------------------------------------------------\n| AI Target | Enabled on | Details | \n|----------|----------|----------|\n| Acrobat AI Assistant | acrobat.adobe.com | AI Assistant allows you to engage in intelligent, context-aware conversations about your documents. |\n| Acrobat PDF Spaces | acrobat.adobe.com | PDF Spaces allow you to add multiple files and links, get AI-powered insights, and organize your research in one conversational knowledge hub. It uses the added files and links to generate summaries, answer questions, and surface key insights. More info: https://helpx.adobe.com/acrobat/web/explore-pdf-spaces/create-pdf-spaces.html |\n| Acrobat Create Presentations | acrobat.adobe.com |  The Generate presentation tool in Adobe Acrobat uses generative AI and Adobe Express design capabilities to build structured, ready-to-edit presentations from simple prompts or existing documents.\nhttps://helpx.adobe.com/acrobat/web/create-pdfs/create-presentations/overview.html |\n| Acrobat Create Podcast | acrobat.adobe.com | Create podcast feature in Acrobat turns almost any document or PDF Space into a quick, engaging audio overview, ideal for fast learning, hands‑free review, or accessible listening. More info: https://helpx.adobe.com/acrobat/web/use-acrobat-ai/podcasts/create-podcast.html |\n| Express AI Assistant | new.express.adobe.com | AI Assistant helps you explore, create, and edit content using prompts. More info: https://helpx.adobe.com/express/web/ai-assistant/adobe-express-ai-assistant-overview.html |\n| Firefly Image Models | firefly.adobe.com | More info:  |\n| Firefly Video Model | firefly.adobe.com |  Firefly Video model helps you to generate videos and add them to the timeline in Firefly video editor. More info: https://helpx.adobe.com/firefly/web/firefly-video-editor/generate-videos/generate-video-using-firefly-models.html |\n| Lightroom AI Edits  | lightroom.adobe.com | Open and edit a photo using the following AI-powered features: Generative Remove, Lens Blur, Adaptive Profile, Masking. More info: https://helpx.adobe.com/ro/lightroom-cc/web/edit-photos/manage-ai-edits.html  |\n| Lightroom Tech Preview for \"edit suggestions\" | lightroom.adobe.com | |\n| Photoshop AI Assistant | photoshop.adobe.com | AI Assistant helps you to perform specific edits to enhance the images. More info:  https://helpx.adobe.com/photoshop/web/edit-images/retouch/edit-images-with-ai-assistant.html |\n| Stock Customize  | stock.adobe.com | AI-powered Customize makes searching and evaluating your stock content easy. It helps you speed up your workflow when you make edits to single or multiple images and view your search history, all in one place. More info: https://helpx.adobe.com/stock/how-to/refine-your-search-with-customize1.html |\n\n\n\n\n\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com.\n*  Rate limiting bypasses, race conditions, and concurrency-related findings are considered out of scope unless they demonstrate a significant and tangible security impact. Minor over-utilization of features through concurrent requests — such as exceeding a soft usage limit (e.g., triggering additional PDF conversions beyond the intended threshold) — does not constitute a valid security vulnerability, as the associated risk is accepted within our current threat model. \n\n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n- Reports solely based on an LLM generating misleading, or factually incorrect content in response to user prompts are out of scope, unless the behavior demonstrates a clear and reproducible security impact (e.g., unauthorized access, data exposure, or policy bypass).\n\n## Program AI Specific Exclusions \n\n- Prompt Influence Without Backend Impact: Prompting techniques (including system-style or instruction-based prompts) that may influence model responses but do not bypass backend authorization checks, access restricted data, or alter enforced system behavior.\n- Role Confusion Without Unauthorized Disclosure: Role ambiguity or role-play behavior that does not lead to disclosure of internal system prompts, policies, secrets, credentials, or other non-public information.\n- Model Response Deviation Without Security Control Bypass: Divergence, hallucinations, or deviations from expected safety or response behavior that do not bypass security controls, enforcement mechanisms, or trust boundaries.\n- LLM Interpretation and Reasoning Limitations: Known limitations in LLMs related to intent inference, semantic understanding, visual interpretation, or trust-boundary assumptions where no exploitability or security impact is demonstrated.\n\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-18T14:47:58.144Z"},{"id":3771301,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Eligible AI Vulnerabilities](#user-content-eligible-ai-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [AI Scope Overview](#user-content-ai-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n* If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Eligible AI Vulnerabilities (in progress) \n ---------------------------------------------------------------------------------------\n| Vulnerability Category | Vulnerability Examples | Scenario Examples | Desired Impact | \n|----------|----------|----------|----------|\n| Generative AI Vulnerabilities |  Cross- Prompt Injection Attacks (XPIA) - embeds adversarial instructions within third-party content that the AI system retrieves and processes | An attacker uploads a corporate logo with manipulated EXIF/IPTC metadata to inject malicious instructions. | data exfiltration, privilege escalation, jailbreaking of safety guardrails, credential theft, unauthorized actions through tool use, and content manipulation |\n| Agentic AI Vulnerabilities |  * Unauthorized API Calls  * Tool chaining attacks  * Parameter injection  * Authentication and Authorization issues | An agent with file read, file write, and web request tools can be manipulated to read sensitive files, encode them, and POST to external servers, none of which individually appears malicious. | data exfiltration, privilege escalation, persistent backdoor |\n| MCP Vulnerabilities |  * Compromised MCP Servers  * Context poisoning via MCP  * Tool Response Manipulation  * MCP Protocol Exploits  * Unauthorized MCP Server Discovery | Compromise DNS to redirect MCP client connections to malicious servers with similar names. | data exposure, unauthorized tool execution, cross-tenant access, prompt injection leading to real-world actions  | Training Data Vulnerabilities | * Backdoor Injection  *Training data memorization  *Poisoned Pre-trained models  * Infrastructure compromise | Attacker can determine whether specific sensitive data was included in the model’s training dataset. | privacy violations, confidential data exposure, model integrity compromise, unauthorized dataset disclosure |\n| \n\n\n\n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# AI Scope Overview\n -------------------------------------------------------------------------------------------------------------\n| AI Target | Enabled on | Details | \n|----------|----------|----------|\n| Acrobat AI Assistant | acrobat.adobe.com | AI Assistant allows you to engage in intelligent, context-aware conversations about your documents. |\n| Acrobat PDF Spaces | acrobat.adobe.com | PDF Spaces allow you to add multiple files and links, get AI-powered insights, and organize your research in one conversational knowledge hub. It uses the added files and links to generate summaries, answer questions, and surface key insights. More info: https://helpx.adobe.com/acrobat/web/explore-pdf-spaces/create-pdf-spaces.html |\n| Acrobat Create Podcast | acrobat.adobe.com | Create podcast feature in Acrobat turns almost any document or PDF Space into a quick, engaging audio overview, ideal for fast learning, hands‑free review, or accessible listening. More info: https://helpx.adobe.com/acrobat/web/use-acrobat-ai/podcasts/create-podcast.html |\n| Express AI Assistant | new.express.adobe.com | AI Assistant helps you explore, create, and edit content using prompts. More info: https://helpx.adobe.com/express/web/ai-assistant/adobe-express-ai-assistant-overview.html |\n| Firefly Image Models | firefly.adobe.com | More info:  |\n| Firefly Video Model | firefly.adobe.com | More info: |\n| Lightroom AI Edits  | lightroom.adobe.com | Open and edit a photo using the following AI-powered features: Generative Remove, Lens Blur, Adaptive Profile, Masking. More info: https://helpx.adobe.com/ro/lightroom-cc/web/edit-photos/manage-ai-edits.html  |\n| Lightroom Tech Preview for \"edit suggestions\" | lightroom.adobe.com | |\n| Photoshop AI Assistant | photoshop.adobe.com | AI Assistant helps you to perform specific edits to enhance the images. More info:  https://helpx.adobe.com/photoshop/web/edit-images/retouch/edit-images-with-ai-assistant.html |\n| Stock Customize  | stock.adobe.com | AI-powered Customize makes searching and evaluating your stock content easy. It helps you speed up your workflow when you make edits to single or multiple images and view your search history, all in one place. More info: https://helpx.adobe.com/stock/how-to/refine-your-search-with-customize1.html |\n\n\n\n\n\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com.\n*  Rate limiting bypasses, race conditions, and concurrency-related findings are considered out of scope unless they demonstrate a significant and tangible security impact. Minor over-utilization of features through concurrent requests — such as exceeding a soft usage limit (e.g., triggering additional PDF conversions beyond the intended threshold) — does not constitute a valid security vulnerability, as the associated risk is accepted within our current threat model. \n\n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n- Reports solely based on an LLM generating misleading, or factually incorrect content in response to user prompts are out of scope, unless the behavior demonstrates a clear and reproducible security impact (e.g., unauthorized access, data exposure, or policy bypass).\n\n## Program AI Specific Exclusions \n\n- Prompt Influence Without Backend Impact: Prompting techniques (including system-style or instruction-based prompts) that may influence model responses but do not bypass backend authorization checks, access restricted data, or alter enforced system behavior.\n- Role Confusion Without Unauthorized Disclosure: Role ambiguity or role-play behavior that does not lead to disclosure of internal system prompts, policies, secrets, credentials, or other non-public information.\n- Model Response Deviation Without Security Control Bypass: Divergence, hallucinations, or deviations from expected safety or response behavior that do not bypass security controls, enforcement mechanisms, or trust boundaries.\n- LLM Interpretation and Reasoning Limitations: Known limitations in LLMs related to intent inference, semantic understanding, visual interpretation, or trust-boundary assumptions where no exploitability or security impact is demonstrated.\n\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-18T14:37:16.982Z"},{"id":3771300,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Eligible AI Vulnerabilities](#user-content-eligible-ai-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [AI Scope Overview](#user-content-ai-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n* If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Eligible AI Vulnerabilities (in progress) \n ---------------------------------------------------------------------------------------\n| Vulnerability Category | Vulnerability Examples | Scenario Examples | Desired Impact | \n|----------|----------|----------|----------|\n| Generative AI Vulnerabilities |  Cross- Prompt Injection Attacks (XPIA) - embeds adversarial instructions within third-party content that the AI system retrieves and processes | An attacker uploads a corporate logo with manipulated EXIF/IPTC metadata to inject malicious instructions. | data exfiltration, privilege escalation, jailbreaking of safety guardrails, credential theft, unauthorized actions through tool use, and content manipulation |\n| Agentic AI Vulnerabilities |  * Unauthorized API Calls  * Tool chaining attacks  * Parameter injection  * Authentication and Authorization issues | An agent with file read, file write, and web request tools can be manipulated to read sensitive files, encode them, and POST to external servers, none of which individually appears malicious. | data exfiltration, privilege escalation, persistent backdoor |\n| MCP Vulnerabilities |  * Compromised MCP Servers  * Context poisoning via MCP  * Tool Response Manipulation  * MCP Protocol Exploits  * Unauthorized MCP Server Discovery | Compromise DNS to redirect MCP client connections to malicious servers with similar names. | data exposure, unauthorized tool execution, cross-tenant access, prompt injection leading to real-world actions  | Training Data Vulnerabilities | * Backdoor Injection  *Training data memorization  *Poisoned Pre-trained models  * Infrastructure compromise | Attacker can determine whether specific sensitive data was included in the model’s training dataset. | privacy violations, confidential data exposure, model integrity compromise, unauthorized dataset disclosure |\n| \n\n\n\n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# AI Scope Overview\n -------------------------------------------------------------------------------------------------------------\n| AI Target | Enabled on | Details | \n|----------|----------|----------|\n| Acrobat AI Assistant | acrobat.adobe.com | AI Assistant allows you to engage in intelligent, context-aware conversations about your documents. |\n| Acrobat PDF Spaces | acrobat.adobe.com | PDF Spaces allow you to add multiple files and links, get AI-powered insights, and organize your research in one conversational knowledge hub. It uses the added files and links to generate summaries, answer questions, and surface key insights. More info: https://helpx.adobe.com/acrobat/web/explore-pdf-spaces/create-pdf-spaces.html |\n| Acrobat Create Podcast | acrobat.adobe.com | Create podcast feature in Acrobat turns almost any document or PDF Space into a quick, engaging audio overview, ideal for fast learning, hands‑free review, or accessible listening. More info: https://helpx.adobe.com/acrobat/web/use-acrobat-ai/podcasts/create-podcast.html |\n| Express AI Assistant | new.express.adobe.com | AI Assistant helps you explore, create, and edit content using prompts. More info: https://helpx.adobe.com/express/web/ai-assistant/adobe-express-ai-assistant-overview.html |\n| Firefly Custom Models | firefly.adobe.com |  |\n| Lightroom AI Edits  | lightroom.adobe.com | Open and edit a photo using the following AI-powered features: Generative Remove, Lens Blur, Adaptive Profile, Masking. More info: https://helpx.adobe.com/ro/lightroom-cc/web/edit-photos/manage-ai-edits.html  |\n| Lightroom Tech Preview for \"edit suggestions\" | lightroom.adobe.com | |\n| Photoshop AI Assistant | photoshop.adobe.com | AI Assistant helps you to perform specific edits to enhance the images. More info:  https://helpx.adobe.com/photoshop/web/edit-images/retouch/edit-images-with-ai-assistant.html |\n| Stock Customize  | stock.adobe.com | AI-powered Customize makes searching and evaluating your stock content easy. It helps you speed up your workflow when you make edits to single or multiple images and view your search history, all in one place. More info: https://helpx.adobe.com/stock/how-to/refine-your-search-with-customize1.html |\n\n\n\n\n\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com.\n*  Rate limiting bypasses, race conditions, and concurrency-related findings are considered out of scope unless they demonstrate a significant and tangible security impact. Minor over-utilization of features through concurrent requests — such as exceeding a soft usage limit (e.g., triggering additional PDF conversions beyond the intended threshold) — does not constitute a valid security vulnerability, as the associated risk is accepted within our current threat model. \n\n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n- Reports solely based on an LLM generating misleading, or factually incorrect content in response to user prompts are out of scope, unless the behavior demonstrates a clear and reproducible security impact (e.g., unauthorized access, data exposure, or policy bypass).\n\n## Program AI Specific Exclusions \n\n- Prompt Influence Without Backend Impact: Prompting techniques (including system-style or instruction-based prompts) that may influence model responses but do not bypass backend authorization checks, access restricted data, or alter enforced system behavior.\n- Role Confusion Without Unauthorized Disclosure: Role ambiguity or role-play behavior that does not lead to disclosure of internal system prompts, policies, secrets, credentials, or other non-public information.\n- Model Response Deviation Without Security Control Bypass: Divergence, hallucinations, or deviations from expected safety or response behavior that do not bypass security controls, enforcement mechanisms, or trust boundaries.\n- LLM Interpretation and Reasoning Limitations: Known limitations in LLMs related to intent inference, semantic understanding, visual interpretation, or trust-boundary assumptions where no exploitability or security impact is demonstrated.\n\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-18T14:27:59.031Z"},{"id":3771298,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Eligible AI Vulnerabilities](#user-content-eligible-ai-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [AI Scope Overview](#user-content-ai-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n* If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Eligible AI Vulnerabilities (in progress) \n ---------------------------------------------------------------------------------------\n| Vulnerability Category | Vulnerability Examples | Scenario Examples | Desired Impact | \n|----------|----------|----------|----------|\n| Generative AI Vulnerabilities |  Cross- Prompt Injection Attacks (XPIA) - embeds adversarial instructions within third-party content that the AI system retrieves and processes | An attacker uploads a corporate logo with manipulated EXIF/IPTC metadata to inject malicious instructions. | data exfiltration, privilege escalation, jailbreaking of safety guardrails, credential theft, unauthorized actions through tool use, and content manipulation |\n| Agentic AI Vulnerabilities |  * Unauthorized API Calls  * Tool chaining attacks  * Parameter injection  * Authentication and Authorization issues | An agent with file read, file write, and web request tools can be manipulated to read sensitive files, encode them, and POST to external servers, none of which individually appears malicious. | data exfiltration, privilege escalation, persistent backdoor |\n| MCP Vulnerabilities |  * Compromised MCP Servers  * Context poisoning via MCP  * Tool Response Manipulation  * MCP Protocol Exploits  * Unauthorized MCP Server Discovery | Compromise DNS to redirect MCP client connections to malicious servers with similar names. | data exposure, unauthorized tool execution, cross-tenant access, prompt injection leading to real-world actions  | Training Data Vulnerabilities | * Backdoor Injection  *Training data memorization  *Poisoned Pre-trained models  * Infrastructure compromise | Attacker can determine whether specific sensitive data was included in the model’s training dataset. | privacy violations, confidential data exposure, model integrity compromise, unauthorized dataset disclosure |\n| \n\n\n\n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# AI Scope Overview\n -------------------------------------------------------------------------------------------------------------\n| AI Target | Enabled on | Details | \n|----------|----------|----------|\n| Acrobat AI Assistant | acrobat.adobe.com | AI Assistant allows you to engage in intelligent, context-aware conversations about your documents. |\n| Acrobat PDF Spaces | acrobat.adobe.com | PDF Spaces allow you to add multiple files and links, get AI-powered insights, and organize your research in one conversational knowledge hub. It uses the added files and links to generate summaries, answer questions, and surface key insights. More info: https://helpx.adobe.com/acrobat/web/explore-pdf-spaces/create-pdf-spaces.html |\n| Acrobat Create Podcast | acrobat.adobe.com | Create podcast feature in Acrobat turns almost any document or PDF Space into a quick, engaging audio overview, ideal for fast learning, hands‑free review, or accessible listening. More info: https://helpx.adobe.com/acrobat/web/use-acrobat-ai/podcasts/create-podcast.html |\n| Express AI Assistant | new.express.adobe.com | AI Assistant helps you explore, create, and edit content using prompts. More info: https://helpx.adobe.com/express/web/ai-assistant/adobe-express-ai-assistant-overview.html |\n| Firefly | firefly.adobe.com |  |\n| Lightroom AI Edits  | lightroom.adobe.com | Open and edit a photo using the following AI-powered features: Generative Remove, Lens Blur, Adaptive Profile, Masking. More info: https://helpx.adobe.com/ro/lightroom-cc/web/edit-photos/manage-ai-edits.html  |\n| Lightroom Tech Preview for \"edit suggestions\" | lightroom.adobe.com | |\n| Photoshop AI Assistant | photoshop.adobe.com | AI Assistant helps you to perform specific edits to enhance the images. More info:  https://helpx.adobe.com/photoshop/web/edit-images/retouch/edit-images-with-ai-assistant.html |\n| Stock Customize  | stock.adobe.com | AI-powered Customize makes searching and evaluating your stock content easy. It helps you speed up your workflow when you make edits to single or multiple images and view your search history, all in one place. More info: https://helpx.adobe.com/stock/how-to/refine-your-search-with-customize1.html |\n\n\n\n\n\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com.\n*  Rate limiting bypasses, race conditions, and concurrency-related findings are considered out of scope unless they demonstrate a significant and tangible security impact. Minor over-utilization of features through concurrent requests — such as exceeding a soft usage limit (e.g., triggering additional PDF conversions beyond the intended threshold) — does not constitute a valid security vulnerability, as the associated risk is accepted within our current threat model. \n\n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n- Reports solely based on an LLM generating misleading, or factually incorrect content in response to user prompts are out of scope, unless the behavior demonstrates a clear and reproducible security impact (e.g., unauthorized access, data exposure, or policy bypass).\n\n## Program AI Specific Exclusions \n\n- Prompt Influence Without Backend Impact: Prompting techniques (including system-style or instruction-based prompts) that may influence model responses but do not bypass backend authorization checks, access restricted data, or alter enforced system behavior.\n- Role Confusion Without Unauthorized Disclosure: Role ambiguity or role-play behavior that does not lead to disclosure of internal system prompts, policies, secrets, credentials, or other non-public information.\n- Model Response Deviation Without Security Control Bypass: Divergence, hallucinations, or deviations from expected safety or response behavior that do not bypass security controls, enforcement mechanisms, or trust boundaries.\n- LLM Interpretation and Reasoning Limitations: Known limitations in LLMs related to intent inference, semantic understanding, visual interpretation, or trust-boundary assumptions where no exploitability or security impact is demonstrated.\n\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-18T12:54:09.465Z"},{"id":3771296,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Eligible AI Vulnerabilities](#user-content-eligible-ai-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [AI Scope Overview](#user-content-ai-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n* If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Eligible AI Vulnerabilities (in progress) \n ---------------------------------------------------------------------------------------\n| Vulnerability Category | Vulnerability Examples | Scenario Examples | Desired Impact | \n|----------|----------|----------|----------|\n| Generative AI Vulnerabilities |  Cross- Prompt Injection Attacks (XPIA) - embeds adversarial instructions within third-party content that the AI system retrieves and processes | An attacker uploads a corporate logo with manipulated EXIF/IPTC metadata to inject malicious instructions. | data exfiltration, privilege escalation, jailbreaking of safety guardrails, credential theft, unauthorized actions through tool use, and content manipulation |\n| Agentic AI Vulnerabilities |  * Unauthorized API Calls  * Tool chaining attacks  * Parameter injection  * Authentication and Authorization issues | An agent with file read, file write, and web request tools can be manipulated to read sensitive files, encode them, and POST to external servers, none of which individually appears malicious. | data exfiltration, privilege escalation, persistent backdoor |\n| MCP Vulnerabilities |  * Compromised MCP Servers  * Context poisoning via MCP  * Tool Response Manipulation  * MCP Protocol Exploits  * Unauthorized MCP Server Discovery | Compromise DNS to redirect MCP client connections to malicious servers with similar names. | data exposure, unauthorized tool execution, cross-tenant access, prompt injection leading to real-world actions  | Training Data Vulnerabilities | * Backdoor Injection  *Training data memorization  *Poisoned Pre-trained models  * Infrastructure compromise | Attacker can determine whether specific sensitive data was included in the model’s training dataset. | privacy violations, confidential data exposure, model integrity compromise, unauthorized dataset disclosure |\n| \n\n\n\n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# AI Scope Overview\n -------------------------------------------------------------------------------------------------------------\n| AI Target | Enabled on | Details | \n|----------|----------|----------|\n| Acrobat AI Assistant | acrobat.adobe.com | AI Assistant allows you to engage in intelligent, context-aware conversations about your documents. |\n| Acrobat PDF Spaces | acrobat.adobe.com | PDF Spaces allow you to add multiple files and links, get AI-powered insights, and organize your research in one conversational knowledge hub. It uses the added files and links to generate summaries, answer questions, and surface key insights. More info: https://helpx.adobe.com/acrobat/web/explore-pdf-spaces/create-pdf-spaces.html |\n| Acrobat Create Podcast | acrobat.adobe.com | Create podcast feature in Acrobat turns almost any document or PDF Space into a quick, engaging audio overview, ideal for fast learning, hands‑free review, or accessible listening. More info: https://helpx.adobe.com/acrobat/web/use-acrobat-ai/podcasts/create-podcast.html |\n| Express AI Assistant | new.express.adobe.com | AI Assistant helps you explore, create, and edit content using prompts. More info: https://helpx.adobe.com/express/web/ai-assistant/adobe-express-ai-assistant-overview.html |\n| Firefly | firefly.adobe.com |  |\n| Lightroom AI Edits  | lightroom.adobe.com | Open and edit a photo using the following AI-powered features: Generative Remove, Lens Blur, Adaptive Profile, Masking. More info: https://helpx.adobe.com/ro/lightroom-cc/web/edit-photos/manage-ai-edits.html  |\n| Lightroom Tech Preview for \"edit suggestions\" | lightroom.adobe.com | |\n| Photoshop  | photoshop.adobe.com |  |\n| Stock Customize  | stock.adobe.com | AI-powered Customize makes searching and evaluating your stock content easy. It helps you speed up your workflow when you make edits to single or multiple images and view your search history, all in one place. More info: https://helpx.adobe.com/stock/how-to/refine-your-search-with-customize1.html |\n\n\n\n\n\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com.\n*  Rate limiting bypasses, race conditions, and concurrency-related findings are considered out of scope unless they demonstrate a significant and tangible security impact. Minor over-utilization of features through concurrent requests — such as exceeding a soft usage limit (e.g., triggering additional PDF conversions beyond the intended threshold) — does not constitute a valid security vulnerability, as the associated risk is accepted within our current threat model. \n\n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n- Reports solely based on an LLM generating misleading, or factually incorrect content in response to user prompts are out of scope, unless the behavior demonstrates a clear and reproducible security impact (e.g., unauthorized access, data exposure, or policy bypass).\n\n## Program AI Specific Exclusions \n\n- Prompt Influence Without Backend Impact: Prompting techniques (including system-style or instruction-based prompts) that may influence model responses but do not bypass backend authorization checks, access restricted data, or alter enforced system behavior.\n- Role Confusion Without Unauthorized Disclosure: Role ambiguity or role-play behavior that does not lead to disclosure of internal system prompts, policies, secrets, credentials, or other non-public information.\n- Model Response Deviation Without Security Control Bypass: Divergence, hallucinations, or deviations from expected safety or response behavior that do not bypass security controls, enforcement mechanisms, or trust boundaries.\n- LLM Interpretation and Reasoning Limitations: Known limitations in LLMs related to intent inference, semantic understanding, visual interpretation, or trust-boundary assumptions where no exploitability or security impact is demonstrated.\n\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-18T12:28:15.741Z"},{"id":3771295,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Eligible AI Vulnerabilities](#user-content-eligible-ai-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [AI Scope Overview](#user-content-ai-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n* If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Eligible AI Vulnerabilities (in progress) \n ---------------------------------------------------------------------------------------\n| Vulnerability Category | Vulnerability Examples | Scenario Examples | Desired Impact | \n|----------|----------|----------|----------|\n| Generative AI Vulnerabilities |  Cross- Prompt Injection Attacks (XPIA) - embeds adversarial instructions within third-party content that the AI system retrieves and processes | An attacker uploads a corporate logo with manipulated EXIF/IPTC metadata to inject malicious instructions. | data exfiltration, privilege escalation, jailbreaking of safety guardrails, credential theft, unauthorized actions through tool use, and content manipulation |\n| Agentic AI vulnerabilities |  * Unauthorized API Calls  * Tool chaining attacks  * Parameter injection  * Authentication and Authorization issues | An agent with file read, file write, and web request tools can be manipulated to read sensitive files, encode them, and POST to external servers, none of which individually appears malicious. | data exfiltration, privilege escalation, persistent backdoor |\n| MCP vulnerabilities |  * Compromised MCP Servers  * Context poisoning via MCP  * Tool Response Manipulation  * MCP Protocol Exploits  * Unauthorized MCP Server Discovery | Compromise DNS to redirect MCP client connections to malicious servers with similar names. | data exposure, unauthorized tool execution, cross-tenant access, prompt injection leading to real-world actions  |\n\n\n\n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# AI Scope Overview\n -------------------------------------------------------------------------------------------------------------\n| AI Target | Enabled on | Details | \n|----------|----------|----------|\n| Acrobat AI Assistant | acrobat.adobe.com | AI Assistant allows you to engage in intelligent, context-aware conversations about your documents. |\n| Acrobat PDF Spaces | acrobat.adobe.com | PDF Spaces allow you to add multiple files and links, get AI-powered insights, and organize your research in one conversational knowledge hub. It uses the added files and links to generate summaries, answer questions, and surface key insights. More info: https://helpx.adobe.com/acrobat/web/explore-pdf-spaces/create-pdf-spaces.html |\n| Acrobat Create Podcast | acrobat.adobe.com | Create podcast feature in Acrobat turns almost any document or PDF Space into a quick, engaging audio overview, ideal for fast learning, hands‑free review, or accessible listening. More info: https://helpx.adobe.com/acrobat/web/use-acrobat-ai/podcasts/create-podcast.html |\n| Express AI Assistant | new.express.adobe.com | AI Assistant helps you explore, create, and edit content using prompts. More info: https://helpx.adobe.com/express/web/ai-assistant/adobe-express-ai-assistant-overview.html |\n| Firefly | firefly.adobe.com |  |\n| Lightroom AI Edits  | lightroom.adobe.com | Open and edit a photo using the following AI-powered features: Generative Remove, Lens Blur, Adaptive Profile, Masking. More info: https://helpx.adobe.com/ro/lightroom-cc/web/edit-photos/manage-ai-edits.html  |\n| Lightroom Tech Preview for \"edit suggestions\" | lightroom.adobe.com | |\n| Photoshop  | photoshop.adobe.com |  |\n| Stock Customize  | stock.adobe.com | AI-powered Customize makes searching and evaluating your stock content easy. It helps you speed up your workflow when you make edits to single or multiple images and view your search history, all in one place. More info: https://helpx.adobe.com/stock/how-to/refine-your-search-with-customize1.html |\n\n\n\n\n\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com.\n*  Rate limiting bypasses, race conditions, and concurrency-related findings are considered out of scope unless they demonstrate a significant and tangible security impact. Minor over-utilization of features through concurrent requests — such as exceeding a soft usage limit (e.g., triggering additional PDF conversions beyond the intended threshold) — does not constitute a valid security vulnerability, as the associated risk is accepted within our current threat model. \n\n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n- Reports solely based on an LLM generating misleading, or factually incorrect content in response to user prompts are out of scope, unless the behavior demonstrates a clear and reproducible security impact (e.g., unauthorized access, data exposure, or policy bypass).\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-18T12:17:02.807Z"},{"id":3771293,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Eligible AI Vulnerabilities](#user-content-eligible-ai-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [AI Scope Overview](#user-content-ai-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n* If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Eligible AI Vulnerabilities\n ---------------------------------------------------------------------------------------\n\n\n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# AI Scope Overview\n -------------------------------------------------------------------------------------------------------------\n| AI Target | Enabled on | Details | \n|----------|----------|----------|\n| Acrobat AI Assistant | acrobat.adobe.com | AI Assistant allows you to engage in intelligent, context-aware conversations about your documents. |\n| Acrobat PDF Spaces | acrobat.adobe.com | PDF Spaces allow you to add multiple files and links, get AI-powered insights, and organize your research in one conversational knowledge hub. It uses the added files and links to generate summaries, answer questions, and surface key insights. More info: https://helpx.adobe.com/acrobat/web/explore-pdf-spaces/create-pdf-spaces.html |\n| Acrobat Create Podcast | acrobat.adobe.com | Create podcast feature in Acrobat turns almost any document or PDF Space into a quick, engaging audio overview, ideal for fast learning, hands‑free review, or accessible listening. More info: https://helpx.adobe.com/acrobat/web/use-acrobat-ai/podcasts/create-podcast.html |\n| Express AI Assistant | new.express.adobe.com | AI Assistant helps you explore, create, and edit content using prompts. More info: https://helpx.adobe.com/express/web/ai-assistant/adobe-express-ai-assistant-overview.html |\n| Firefly | firefly.adobe.com |  |\n| Lightroom AI Edits  | lightroom.adobe.com | Open and edit a photo using the following AI-powered features: Generative Remove, Lens Blur, Adaptive Profile, Masking. More info: https://helpx.adobe.com/ro/lightroom-cc/web/edit-photos/manage-ai-edits.html  |\n| Lightroom Tech Preview for \"edit suggestions\" | lightroom.adobe.com | |\n| Photoshop  | photoshop.adobe.com |  |\n| Stock Customize  | stock.adobe.com | AI-powered Customize makes searching and evaluating your stock content easy. It helps you speed up your workflow when you make edits to single or multiple images and view your search history, all in one place. More info: https://helpx.adobe.com/stock/how-to/refine-your-search-with-customize1.html |\n\n\n\n\n\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com.\n*  Rate limiting bypasses, race conditions, and concurrency-related findings are considered out of scope unless they demonstrate a significant and tangible security impact. Minor over-utilization of features through concurrent requests — such as exceeding a soft usage limit (e.g., triggering additional PDF conversions beyond the intended threshold) — does not constitute a valid security vulnerability, as the associated risk is accepted within our current threat model. \n\n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n- Reports solely based on an LLM generating misleading, or factually incorrect content in response to user prompts are out of scope, unless the behavior demonstrates a clear and reproducible security impact (e.g., unauthorized access, data exposure, or policy bypass).\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-18T11:50:19.944Z"},{"id":3771292,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [AI Scope Overview](#user-content-ai-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n* If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# AI Scope Overview\n -------------------------------------------------------------------------------------------------------------\n| AI Target | Enabled on | Details | \n|----------|----------|----------|\n| Acrobat AI Assistant | acrobat.adobe.com | AI Assistant allows you to engage in intelligent, context-aware conversations about your documents. |\n| Acrobat PDF Spaces | acrobat.adobe.com | PDF Spaces allow you to add multiple files and links, get AI-powered insights, and organize your research in one conversational knowledge hub. It uses the added files and links to generate summaries, answer questions, and surface key insights. More info: https://helpx.adobe.com/acrobat/web/explore-pdf-spaces/create-pdf-spaces.html |\n| Acrobat Create Podcast | acrobat.adobe.com | Create podcast feature in Acrobat turns almost any document or PDF Space into a quick, engaging audio overview, ideal for fast learning, hands‑free review, or accessible listening. More info: https://helpx.adobe.com/acrobat/web/use-acrobat-ai/podcasts/create-podcast.html |\n| Express AI Assistant | new.express.adobe.com | AI Assistant helps you explore, create, and edit content using prompts. More info: https://helpx.adobe.com/express/web/ai-assistant/adobe-express-ai-assistant-overview.html |\n| Firefly | firefly.adobe.com |  |\n| Lightroom AI Edits  | lightroom.adobe.com | Open and edit a photo using the following AI-powered features: Generative Remove, Lens Blur, Adaptive Profile, Masking. More info: https://helpx.adobe.com/ro/lightroom-cc/web/edit-photos/manage-ai-edits.html  |\n| Lightroom Tech Preview for \"edit suggestions\" | lightroom.adobe.com | |\n| Photoshop  | photoshop.adobe.com |  |\n| Stock Customize  | stock.adobe.com | AI-powered Customize makes searching and evaluating your stock content easy. It helps you speed up your workflow when you make edits to single or multiple images and view your search history, all in one place. More info: https://helpx.adobe.com/stock/how-to/refine-your-search-with-customize1.html |\n\n\n\n\n\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com.\n*  Rate limiting bypasses, race conditions, and concurrency-related findings are considered out of scope unless they demonstrate a significant and tangible security impact. Minor over-utilization of features through concurrent requests — such as exceeding a soft usage limit (e.g., triggering additional PDF conversions beyond the intended threshold) — does not constitute a valid security vulnerability, as the associated risk is accepted within our current threat model. \n\n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n- Reports solely based on an LLM generating misleading, or factually incorrect content in response to user prompts are out of scope, unless the behavior demonstrates a clear and reproducible security impact (e.g., unauthorized access, data exposure, or policy bypass).\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-18T11:16:21.867Z"},{"id":3771291,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [AI Scope Overview](#user-content-ai-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n* If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# AI Scope Overview\n -------------------------------------------------------------------------------------------------------------\n| AI Target | Enabled on | Details | \n|----------|----------|----------|\n| Acrobat AI Assistant | acrobat.adobe.com | AI Assistant allows you to engage in intelligent, context-aware conversations about your documents. |\n| Acrobat PDF Spaces | acrobat.adobe.com | PDF Spaces allow you to add multiple files and links, get AI-powered insights, and organize your research in one conversational knowledge hub. It uses the added files and links to generate summaries, answer questions, and surface key insights. More info: https://helpx.adobe.com/acrobat/web/explore-pdf-spaces/create-pdf-spaces.html |\n| Acrobat Create Podcast | acrobat.adobe.com | Create podcast feature in Acrobat turns almost any document or PDF Space into a quick, engaging audio overview, ideal for fast learning, hands‑free review, or accessible listening. More info: https://helpx.adobe.com/acrobat/web/use-acrobat-ai/podcasts/create-podcast.html |\n| Express AI Assistant | new.express.adobe.com | AI Assistant helps you explore, create, and edit content using prompts. More info: https://helpx.adobe.com/express/web/ai-assistant/adobe-express-ai-assistant-overview.html |\n| Firefly | firefly.adobe.com |  |\n| Lightroom AI Edits  | lightroom.adobe.com | Open and edit a photo using the following AI-powered features: Generative Remove, Lens Blur, Adaptive Profile, Masking. More info: https://helpx.adobe.com/ro/lightroom-cc/web/edit-photos/manage-ai-edits.html  |\n| Photoshop  | photoshop.adobe.com |  |\n| Stock Customize  | stock.adobe.com | AI-powered Customize makes searching and evaluating your stock content easy. It helps you speed up your workflow when you make edits to single or multiple images and view your search history, all in one place. More info: https://helpx.adobe.com/stock/how-to/refine-your-search-with-customize1.html |\n\n\n\n\n\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com.\n*  Rate limiting bypasses, race conditions, and concurrency-related findings are considered out of scope unless they demonstrate a significant and tangible security impact. Minor over-utilization of features through concurrent requests — such as exceeding a soft usage limit (e.g., triggering additional PDF conversions beyond the intended threshold) — does not constitute a valid security vulnerability, as the associated risk is accepted within our current threat model. \n\n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n- Reports solely based on an LLM generating misleading, or factually incorrect content in response to user prompts are out of scope, unless the behavior demonstrates a clear and reproducible security impact (e.g., unauthorized access, data exposure, or policy bypass).\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-18T11:06:09.147Z"},{"id":3770148,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n* If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com.\n*  Rate limiting bypasses, race conditions, and concurrency-related findings are considered out of scope unless they demonstrate a significant and tangible security impact. Minor over-utilization of features through concurrent requests — such as exceeding a soft usage limit (e.g., triggering additional PDF conversions beyond the intended threshold) — does not constitute a valid security vulnerability, as the associated risk is accepted within our current threat model. \n\n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n- Reports solely based on an LLM generating misleading, or factually incorrect content in response to user prompts are out of scope, unless the behavior demonstrates a clear and reproducible security impact (e.g., unauthorized access, data exposure, or policy bypass).\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-02-24T17:50:05.496Z"},{"id":3770134,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n* If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n- Reports solely based on an LLM generating misleading, or factually incorrect content in response to user prompts are out of scope, unless the behavior demonstrates a clear and reproducible security impact (e.g., unauthorized access, data exposure, or policy bypass).\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-02-24T12:47:02.985Z"},{"id":3769947,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n* If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n- Reports solely based on an LLM generating misleading, or factually incorrect content in response to user prompts are out of scope, unless the behavior demonstrates a clear and reproducible security impact (e.g., unauthorized access, data exposure, or policy bypass).\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  If either the underlying vulnerability (e.g., XSS) or the resulting impact (e.g., ATO) has already been reported and validated, subsequent reports demonstrating the same vulnerability or materially similar impact chain will be considered duplicates for that component, and only any newly identified element will be eligible for evaluation.\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-02-19T21:58:37.071Z"},{"id":3769870,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n- Reports solely based on an LLM generating misleading, or factually incorrect content in response to user prompts are out of scope, unless the behavior demonstrates a clear and reproducible security impact (e.g., unauthorized access, data exposure, or policy bypass).\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-02-18T21:27:05.407Z"},{"id":3769867,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n- Reports solely based on an LLM generating inappropriate, misleading, or factually incorrect content in response to user prompts are out of scope, unless the behavior demonstrates a clear and reproducible security impact (e.g., unauthorized access, data exposure, or policy bypass).\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-02-18T21:25:13.317Z"},{"id":3769863,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n- Reports solely based on an LLM generating inappropriate, offensive, misleading, or factually incorrect content in response to user prompts are out of scope, unless the behavior demonstrates a clear and reproducible security impact (e.g., unauthorized access, data exposure, or policy bypass).\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-02-18T21:01:44.439Z"},{"id":3769799,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. ==Denial-of-service issues are out-of-scope==, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-02-18T09:36:28.442Z"},{"id":3769525,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n- Any vulnerabilities that disclose public information that is available on the website via Behance public APIs ( *v2/users*, *v2/projects*, */v3/graphql* etc) are considered out of scope.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-02-11T08:56:33.951Z"},{"id":3769228,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- XSS in Admin, Integration Admin, Author or Instructor\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-02-04T09:07:09.286Z"},{"id":3768778,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n- Reports that only reference data listed on third-party breach or credential-dump services are out of scope and not accepted unless the reporter can demonstrate the exposure originated from a vulnerability in Adobe systems.\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-01-26T16:09:19.712Z"},{"id":3768769,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n   * Ability to alter the visual rendering of a C2PA-protected image without invalidating the signature\n   * XSS or injection issues on the Content Credentials Verify site resulting from malicious C2PA metadata\n   * Security vulnerabilities in C2PA SDKs (c2pa-rs, c2pa-js), including parsing errors, validation bypasses, or cryptographic flaws\n   * Failures to properly detect invalid, untrusted, or tampered C2PA manifests under default configurations\n   * Other security issues directly related to C2PA metadata processing or verification\n \nExample out-of-scope vulnerabilities would include:\n   * Denial-of-service issues, including memory exhaustion from large inputs (Exception: small inputs causing disproportionately large memory usage)\n   * Removing Content Credentials from an image (explicitly allowed by the threat model)\n   * Issues requiring non-default or clearly documented insecure configurations\n   * Malformed manifests generated from valid inputs (tracked as bugs, not security vulnerabilities)\n   * Use of unsupported platforms, unreleased versions, or non-standard build processes\n   * Vulnerabilities in Adobe products or services unrelated to C2PA metadata processing\n   * C2PA SDK internal functions explicitly marked as unsafe\n\nThe following issues are currently known and work is underway. Reports will not be accepted until remediation is complete and published:\n    * Network access triggered by C2PA manifest input (mitigations in progress)\n    * Enforcement of the CAWG X.509 trust model\n\nAdditional details, examples, and testing resources are available at: \n   * Detailed Guidelines: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n   * C2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\n   * C2PA security testing tools: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-01-26T13:54:27.172Z"},{"id":3768768,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Parsing errors that cause crashes or undefined behavior\n     * Failure to detect invalid / untrusted status in C2PA manifests\n     * Default settings that create vulnerabilities\n     * Ability to bypass C2PA manifest validation\n     * Ability to generate an apparently-trusted C2PA manifest with invalid credentials\n     * Errors in cryptographic implementations\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n     * C2PA SDK internal functions that are marked as unsafe.\n     * Denial-of-service attacks\n     * Use of non-default configuration settings to bypass security requirements\n     * Generation of invalid C2PA manifests from valid inputs or credentials\n     * Use of the SDK or command-line tools on unsupported platforms or unreleased versions\n     * [Temporary] Network calls based on C2PA manifest input data\n     * [Temporary] The CAWG X.509 trust model added in CAWG identity 1.2 is not yet enforced\n\nMore details about in-scope / out-of-scope can be found here: https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md#what-counts-as-a-reportable-vulnerability\n\nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-01-26T13:45:22.236Z"},{"id":3768594,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n     * C2PA SDK internal functions that are marked as unsafe.\n     * ==DoS related vulnerabilities are temporarily out-of-scope== \n\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- DoS / resource consumption testing unless it leads to sensitive memory disclosure\n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-01-21T16:52:59.622Z"},{"id":3768202,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n     * C2PA SDK internal functions that are marked as unsafe.\n     * ==DoS related vulnerabilities are temporarily out-of-scope== \n\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-01-12T13:09:48.990Z"},{"id":3767715,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n     * C2PA SDK internal functions that are marked as unsafe.\n\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-12-22T08:59:26.980Z"},{"id":3766433,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n     * C2PA SDK internal functions that are marked as unsafe.\n\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin, Author or Instuctor affecting other users\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **Cross-Site Scripting (XSS) and XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-11-21T16:24:12.517Z"},{"id":3765998,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n     * C2PA SDK internal functions that are marked as unsafe.\n\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **Cross-Site Scripting (XSS) and XXE vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-11-12T12:30:50.295Z"},{"id":3765666,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n     * C2PA SDK internal functions that are marked as unsafe.\n\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n- **Vulnerabilities related to OAuth misconfigurations (including ATOs) are temporarily out of scope due to planned maintenance/upgrades**\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **Cross-Site Scripting (XSS) vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-11-06T18:25:08.673Z"},{"id":3765492,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n     * C2PA SDK internal functions that are marked as unsafe.\n\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **Cross-Site Scripting (XSS) vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-11-04T14:20:22.521Z"},{"id":3765491,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n     * C2PA SDK internal functions that are marked as unsafe.\n\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **Cross-Site Scripting (XSS) vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n            * cfimages.adobe.com - Its not a Coldfusion application\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-11-04T14:04:48.134Z"},{"id":3765384,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Firefly Test Plan](#user-content-firefly-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Firefly Test Plan\n\n* IDORs in Backend Firefly API related to jobs and data are out-of-scope as the IDs are random UUID4 and are short-lived (72h)\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n     * C2PA SDK internal functions that are marked as unsafe.\n\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **Cross-Site Scripting (XSS) vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-10-31T11:24:59.917Z"},{"id":3764034,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n     * C2PA SDK internal functions that are marked as unsafe.\n\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **Cross-Site Scripting (XSS) vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Venezuela, Mainland China, Hong Kong, Russia, Belarus, Ukraine, Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-10-02T17:49:12.038Z"},{"id":3762421,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [CVSS Guidelines](#user-content-cvss-guidelines)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n     * C2PA SDK internal functions that are marked as unsafe.\n\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **Cross-Site Scripting (XSS) vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n\n#CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-09-05T15:34:25.068Z"},{"id":3762181,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n     * C2PA SDK internal functions that are marked as unsafe.\n\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **Cross-Site Scripting (XSS) vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n\n# CVSS Guidelines\n\n---------------------------------------------------------------------------------------------------------------------------\n\nCVSS 3.1 scoring system will be used for assessment and calculation. **Attack Complexity (AC)** and **Privileges Required(PR)** metrics are dependent of the affected product and environment setup. For most of the CWEs listed below, we will consider the generic **AC:L** and **PR:N**. The following section will detail those 2 metrics for a tailored CVSS calculation:\n\n###Attack Complexity (AC):\n\n* Low (L): no special conditions are required for a successful attack beyond what is typical or expected in normal exploitation scenarios\n  * No unpredictable factors\n  * No product environmental non-default settings, \n  * No unreliable exploit that doesn't succeed every time\n* High (H): a successful attack depends on conditions beyond the attacker's control, making the attack less reliable or harder to reproduce\n  * Relies on timing or race conditions\n  * Exploit only works on non-default configurations\n  * IDOR with Unpredictable Resource Identifiers (/api/invoice/4f2c9b8e-1e49-431d-bf20-0c97eac7a991)\n\n###Privileges required (PR):\n\n* None (N): unauthenticated endpoints, self sign-up applications, guest role etc. \n* Low (L): attacker requires authentication but only minimal user-level access, no special roles or permissions are required \n* High (H): attacker holds a high-privilege role such as admin, root, system operator etc. \n\n###Note:\n* The following CVSS scores reflect the generic capabilities of the most common CWEs, other CWEs or misconfigurations cannot be standardised due to the unique requirements and impact they may pose.\n* Product specifics can also influence the CVSS later by understanding existing mitigations or limitations that could downgrade the typical score.\n* For multiple vulnerabilities chained together, the final CVSS will illustrate the combined highest impact.\n\n##Cross-site Scripting (Reflected XSS) (CWE-79) | Cross-site Scripting (Stored XSS) (CWE-79) | Cross-site Scripting (DOM-based XSS) (CWE-79)\n\n* Regular XSS - no cookie/auth token exfiltration: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n* ATO impact - demonstrates cookie/auth token exfiltration to attacker controlled server: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)\n\n##Server-Side Request Forgery (SSRF) (CWE-918)\n\n* No sensitive internal endpoint is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive internal endpoint is reached: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n##Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)\n\n* No sensitive directory is accessed: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n* Sensitive directory is accessed or SSRF capability: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n* DoS impact using Billion Laughs attack: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Deserialization of Untrusted Data (CWE-502)\n\n* Unless there are other limitations in place: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n##Use of Hard-coded Credentials (CWE-798) | Use of Default Credentials (CWE-1392)\n\n* C:L - when credentials provide access only test environments / demo data: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - credentials can be used to extract sensitive data or PII: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* For additional integrity impact, credentials must grant privileges to alterate relevant production data or configurations: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)\n* For additional availability impact, credentials must grant privileges to destroy relevant production data or configurations: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n##Incorrect Authorization (CWE-863) | Insecure Direct Object Reference (IDOR)\n\n* C:L - able to read unauthorised non-sensitive data (basic metadata, user configurations, email addresses): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n* C:H - able to access PII, source code, credentials etc: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n* I:L - able to modify data in a limited way (changing the status of another user's order): 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n* I:H - user role privilege escalations, change sensitive/PII data, change security configurations, financial integrity impact: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n* A:L - minor, temporarily or recoverable disruptions: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n* A:H - delete critical data, disable user access or important services/features: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n##Cross-Site Request Forgery (CSRF) (CWE-352)\n\n* I:L - changing user profile information, initiating user actions with limited consequences: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)\n* I:H - modifying critical account details like email or password, changing security settings, performing financial transactions: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n* A:L - initiating account lockout processes, submitting a resource-intensive operation: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n* A:H - causes the victim’s account or service to be deleted, disabled, or suspended: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n##Desktop Memory Corruption Vulnerabilities\n\n* Memory leak impact: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n* Arbitrary code execution impact: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-09-02T15:36:52.565Z"},{"id":3761502,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n     * C2PA SDK internal functions that are marked as unsafe.\n\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\nNote: Acrobat Web **AI Assistant** is also part of the scope.\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **Cross-Site Scripting (XSS) vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-08-21T12:40:52.338Z"},{"id":3761486,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n     * C2PA SDK internal functions that are marked as unsafe.\n\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **Cross-Site Scripting (XSS) vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-08-21T09:18:15.949Z"},{"id":3761438,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **Cross-Site Scripting (XSS) vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-08-20T15:31:48.709Z"},{"id":3761436,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-application-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Prompt Injection that leads to disclosure of sensitive content\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **Cross-Site Scripting (XSS) vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-08-20T15:22:08.746Z"},{"id":3761058,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-application-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **Cross-Site Scripting (XSS) vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Vulnerabilities in mobile applications relying on the installation of a malicious APK are out-of-scope due to limited real-world exploitability\n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-08-13T14:22:49.118Z"},{"id":3759243,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-application-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **Cross-Site Scripting (XSS) vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-07-17T14:21:28.398Z"},{"id":3759006,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-application-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users in the same account.\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **Cross-Site Scripting (XSS) vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource. Also, using an existing POC of somebody else who discovered it previously will result in the report being closed as Not Applicable.\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-07-14T15:50:35.024Z"},{"id":3758606,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-application-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users in the same account.\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **Cross-Site Scripting (XSS) vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-07-08T10:39:51.816Z"},{"id":3758420,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-application-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n* The first reported and confirmed ATO method will receive the full bounty payout based on its validated severity. Any later reports using the same or similar ATO technique, regardless of the targeted endpoint, flow, or user type, will be downgraded in severity and awarded a reduced bounty, based on the vulnerability’s impact without the Account Takeover scenario. This rule is applicable to all in-scope products.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users in the same account.\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **Cross-Site Scripting (XSS) vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-07-02T11:13:27.606Z"},{"id":3756524,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-application-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users in the same account.\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **Cross-Site Scripting (XSS) vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n- ColdFusion specific out-of-scope:\n            * ColdFusion API Manager – Tool that helps you to create APIs that expose core functionalities of application and other backend systems. This is deprioritized with no active development.\n            * CFFiddle – Playground that allows developers to quickly test code snippets, share their work with others, and collaborate on projects. The infra is managed by third party with minimal involvement from ColdFusion team\n            * Coldfusion.adobe.com – Portal used by customer for posting discussions, blogs and announcements. Its not a ColdFusion application( uses WordPress and PHP)\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-29T10:56:30.115Z"},{"id":3752164,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-application-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users in the same account.\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n**IMPORTANT:**\n- All unresolved findings previously submitted for CF 2021 and CF 2023 are also being verified for CF 2025. Therefore, resubmitting them will result in rejection or closure as duplicates.\n- **Cross-Site Scripting (XSS) vulnerabilities are temporarily out of scope due to planned maintenance/upgrades.**\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-03-20T16:10:20.106Z"},{"id":3751951,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-application-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users in the same account.\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n- Subdomain takeover without a working POC to demonstrate the ability to claim the corresponding resource\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-03-18T16:01:43.319Z"},{"id":3751542,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-application-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing cycle, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users in the same account.\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-03-11T16:53:20.823Z"},{"id":3751389,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-application-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing quarter, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users in the same account.\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope. We recommend testing on the latest available version ColdFusion 2025, even if previous versions are still supported.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-03-10T09:43:59.998Z"},{"id":3751053,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-application-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing quarter, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users in the same account.\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2025 release) Server Auto-Lockdown\"  from here: \nhttps://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n3. Follow the setup instructions for the ColdFusion server (https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-02-28T09:26:57.400Z"},{"id":3748603,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-application-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing quarter, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users in the same account.\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2023 release) Server Auto-Lockdown\"  from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n3. Follow the setup instructions for the ColdFusion server ( https://helpx.adobe.com/coldfusion/installing/install-coldfusion-2021-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n            * https://coldfusion.adobe.com/2020/12/coldfusion-2021-install-experience/\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n\n **IMPORTANT**:\n - Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n- **Any scenario in which a logged-in user is able to access content that is intended to be restricted(blocked) but is publicly accessible will be considered out-of-scope.**\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-01-23T09:52:52.904Z"},{"id":3746037,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-application-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing quarter, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users in the same account.\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2023 release) Server Auto-Lockdown\"  from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n3. Follow the setup instructions for the ColdFusion server ( https://helpx.adobe.com/coldfusion/installing/install-coldfusion-2021-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n            * https://coldfusion.adobe.com/2020/12/coldfusion-2021-install-experience/\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block. Also, express.adobe.com and express-embed.adobe.com are out-of-scope.\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-12-06T09:08:14.107Z"},{"id":3745476,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-application-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portfolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing quarter, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users in the same account.\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2023 release) Server Auto-Lockdown\"  from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n3. Follow the setup instructions for the ColdFusion server ( https://helpx.adobe.com/coldfusion/installing/install-coldfusion-2021-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n            * https://coldfusion.adobe.com/2020/12/coldfusion-2021-install-experience/\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-11-29T14:12:15.982Z"},{"id":3745475,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-application-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Portfolio Test Plan](#user-content-portofolio-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing quarter, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users in the same account.\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2023 release) Server Auto-Lockdown\"  from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n3. Follow the setup instructions for the ColdFusion server ( https://helpx.adobe.com/coldfusion/installing/install-coldfusion-2021-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n            * https://coldfusion.adobe.com/2020/12/coldfusion-2021-install-experience/\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n\n#Portfolio Test Plan \n\nSetup Instructions: \n-  Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com) and authenticate using your credentials.\n- Once authenticated in the stage environment for Behance,  go to https://portfolio.ccpsx.com/ and you will be prompted to continue with your Behance account. \n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site is also not permitted.\n\n\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-11-29T14:10:41.947Z"},{"id":3743971,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-application-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing quarter, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n|  Adobe Express | Adobe Express is an all-in-one design, photo, and video tool to make content creation easy. You can get started creating in Adobe Express for free or upgrade for a monthly fee to unlock all the premium value. https://www.adobe.com/express/ |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users in the same account.\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2023 release) Server Auto-Lockdown\"  from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n3. Follow the setup instructions for the ColdFusion server ( https://helpx.adobe.com/coldfusion/installing/install-coldfusion-2021-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n            * https://coldfusion.adobe.com/2020/12/coldfusion-2021-install-experience/\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-11-07T14:44:21.217Z"},{"id":3743960,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-application-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Express Test Plan](#user-content-express-test-plan)\n* [Behance Test Plan](#user-content-behance-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing quarter, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users in the same account.\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2023 release) Server Auto-Lockdown\"  from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n3. Follow the setup instructions for the ColdFusion server ( https://helpx.adobe.com/coldfusion/installing/install-coldfusion-2021-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n            * https://coldfusion.adobe.com/2020/12/coldfusion-2021-install-experience/\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n#Express Test Plan\n\nSetup Instructions:\n- Visit https://new.express.adobe.com/ and select  **\"Continue with Email\"** option. \n- Enter your Adobe account credentials and start testing the app. ( **!** Your Adobe account must be registered with your HackerOne email address \u003cusername\u003e@wearehackerone.com. This is a required step to be eligible for bounty).\n- IMPORTANT: Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n\n#Behance Test Plan\n\nSetup Instructions:\n- Create an Adobe Account at https://net.s2stagehance.com using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- IMPORTANT: Do not test against any additional domains that this site uses for static content, adobelogin.com, etc. Testing against the public production web site (www.behance.net) is also not permitted.\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-11-07T09:51:59.326Z"},{"id":3740212,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-application-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing quarter, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- ==Improper access controls vulnerabilities in *Custom roles* and *Social Learning* functionalities are temporarily out-of-scope due to planned maintenance/upgrades.==\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users in the same account.\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2023 release) Server Auto-Lockdown\"  from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n3. Follow the setup instructions for the ColdFusion server ( https://helpx.adobe.com/coldfusion/installing/install-coldfusion-2021-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n            * https://coldfusion.adobe.com/2020/12/coldfusion-2021-install-experience/\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-09-24T08:06:42.633Z"},{"id":3738084,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-application-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing quarter, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users in the same account.\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2023 release) Server Auto-Lockdown\"  from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n3. Follow the setup instructions for the ColdFusion server ( https://helpx.adobe.com/coldfusion/installing/install-coldfusion-2021-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n            * https://coldfusion.adobe.com/2020/12/coldfusion-2021-install-experience/\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-09-06T11:08:10.129Z"},{"id":3737605,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-application-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing quarter, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users in the same account.\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2023 release) Server Auto-Lockdown\"  from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n3. Follow the setup instructions for the ColdFusion server ( https://helpx.adobe.com/coldfusion/installing/install-coldfusion-2021-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n            * https://coldfusion.adobe.com/2020/12/coldfusion-2021-install-experience/\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.lightroom.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-09-02T10:27:16.098Z"},{"id":3737600,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-application-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing quarter, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users in the same account.\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2023 release) Server Auto-Lockdown\"  from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n3. Follow the setup instructions for the ColdFusion server ( https://helpx.adobe.com/coldfusion/installing/install-coldfusion-2021-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n            * https://coldfusion.adobe.com/2020/12/coldfusion-2021-install-experience/\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n# Lightroom Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-09-02T08:06:19.294Z"},{"id":3737599,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-application-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Lightroom Web Test Plan](#user-content-lightroom-web-test-plan)\n* [IMS Test Plan](#user-content-ims-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing quarter, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users in the same account.\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2023 release) Server Auto-Lockdown\"  from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n3. Follow the setup instructions for the ColdFusion server ( https://helpx.adobe.com/coldfusion/installing/install-coldfusion-2021-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n            * https://coldfusion.adobe.com/2020/12/coldfusion-2021-install-experience/\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n#Lightroom  Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT** – Lightroom Web specific out-of-scope:\n- Vulnerabilities related to \"Google Photos\" are out of scope.\n- Denial-of-service testing is explicitly out of scope.\n\n#IMS Test Plan\n\nSetup Instructions:\n1. When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n2. Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n**IMPORTANT** – IMS specific out-of-scope:\n- Denial-of-service testing is explicitly out of scope. Any DOS testing will likely result in an auto-IP block\n- Vulnerabilities related to IMS OAuth are temporarily out of scope due to planned maintenance/upgrades\n- For account.adobe.com, \"Plans and payment\" sections and other settings which are not Identity/IMS related are out-of-scope. Only submissions related to security profile will be accepted (e.g. https://account.adobe.com/security).\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-09-02T07:58:40.565Z"},{"id":3735812,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-application-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing quarter, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanagerstage4.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users in the same account.\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n- Denial-of-service testing and production testing (only test against the provided stage environment)\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2023 release) Server Auto-Lockdown\"  from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n3. Follow the setup instructions for the ColdFusion server ( https://helpx.adobe.com/coldfusion/installing/install-coldfusion-2021-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n            * https://coldfusion.adobe.com/2020/12/coldfusion-2021-install-experience/\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-08-12T08:38:10.808Z"},{"id":3734748,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-application-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing quarter, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanager.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users in the same account.\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\n**IMPORTANT**  - **Reports against ColdFusion without Lockdown installer in place are out-of-scope.** \n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2023 release) Server Auto-Lockdown\"  from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n3. Follow the setup instructions for the ColdFusion server ( https://helpx.adobe.com/coldfusion/installing/install-coldfusion-2021-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion (**these don't include Lockdown installer**) :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n            * https://coldfusion.adobe.com/2020/12/coldfusion-2021-install-experience/\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-31T13:00:48.941Z"},{"id":3734714,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-application-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing quarter, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanager.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users in the same account.\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2023 release) Server Auto-Lockdown\"  from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n3. Follow the setup instructions for the ColdFusion server ( https://helpx.adobe.com/coldfusion/installing/install-coldfusion-2021-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n            * https://coldfusion.adobe.com/2020/12/coldfusion-2021-install-experience/\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-31T08:54:10.814Z"},{"id":3732901,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards)\n* [Security Researcher Hall of Fame](#user-content-security-researcher-hall-of-fame)\n* [Rules of Engagement](#user-content-rules-of-engagement) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Scope Overview](#user-content-scope-overview)\n* [Adobe Commerce Test Plan](#user-content-adobe-commerce-test-plan)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Adobe Acrobat Web Test Plan](#user-content-adobe-acrobat-web-application-test-plan)\n* [Learning Manager Test Plan](#user-content-learning-manager-test-plan)\n* [Photoshop Web Test Plan](#user-content-photoshop-web-test-plan)\n* [ColdFusion Test Plan](#user-content-coldfusion-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\n\n-------------------------------------------------------------------------------------------------------------\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Security Researcher Hall of Fame\n\n-------------------------------------------------------------------------------------------------------------\n We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing quarter, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Rules of Engagement\n\n---------------------------------------------------------------------------------------------------------------------------\nPlease review the following guidelines before submitting your report: \n* DO include the User-Agent string `h1_username` while testing. **This is a requirement in order to be eligible for a bounty.**\n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Response Targets\n\n-------------------------------------------------------------------\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\n\n----------------------------------------------------------------------------------------------------\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. DNS-related vulnerabilities (e.g. subdomain takeover) are an exception and should be reported uniquely. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n ---------------------------------------------------------------------------------------\nWe encourage the coordinated disclosure of the following eligible application vulnerabilities:  \n \n- Cross-site scripting (XSS)\n- Cross-site request forgery (CSRF) in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n\n# Scope Overview\n -------------------------------------------------------------------------------------------------------------\n\n| Target | Details | \n|----------|--------------------|\n|  Adobe Commerce | Adobe Commerce is a flexible and scalable commerce platform that lets you create uniquely personalised B2B and B2C experiences, no matter how many brands you have. https://business.adobe.com/au/products/magento/magento-commerce.html | \n| Content Authenticity Initiative |  The CAI’s free open-source tools support a broad and expanding range of content creation tools, from generative AI to digital photography to digital art and more. Each asset is cryptographically hashed and signed to capture a verifiable, tamper-evident record that enables exposure of any changes to the asset or its metadata. Creators can choose to attach attribution information and usage signals directly to their assets. https://contentauthenticity.org/ |\n| Adobe Firefly  |  Adobe Firefly is family of creative generative AI models. Features powered by Firefly are embedded in Adobe’s flagship apps and Adobe Stock.  https://firefly.adobe.com/ |\n|  Learning Manager  | Adobe Learning Manager is an award-winning learning platform that integrates learning experiences into your brand’s website and apps. https://business.adobe.com/products/learning-manager/adobe-learning-manager.html |\n|  Photoshop Web  |  With Photoshop's online, intuitive, and precise editing tools, you can create images and content you'll love right in your browser. https://photoshop.adobe.com/ |\n|  Adobe Coldfusion  | Adobe ColdFusion is a battle-proven and high-performing application server that makes web development easy for every coder. https://www.adobe.com/products/coldfusion-family.html |\n|  Acrobat Web   | Adobe Acrobat online services let you work with PDFs in any browser. Create and convert PDFs online, reduce a file size, and more. https://acrobat.adobe.com/us/en/ |\n|  Acrobat Reader Mobile App (Android, iOS) | With Acrobat Reader mobile app you can work on documents anywhere. This app is packed with all the latest tools you need to keep projects moving wherever you are. https://www.adobe.com/acrobat/mobile/acrobat-reader.html |\n| Adobe Scan Mobile App (Android, iOS) | Adobe Scan mobile app works on your mobile device as a photo and document scanner that creates PDFs and automatically recognises text. https://www.adobe.com/uk/acrobat/mobile/scanner-app.html |\n\n# Testing Plans\n -------------------------------------------------------------------------------------------------------------\n\nGeneral Setup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n\n# Adobe Commerce Test Plan\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n# Adobe Acrobat Web Test Plan\n\nSetup Instructions:\n- When registering an account, please use your HackerOne username \u003cusername\u003e@wearehackerone.com email alias. This is a required step to be eligible for bounty.\n- Create an Adobe Account at https://account.adobe.com/ using your HackerOne handle (e.g. \u003cusername\u003e@wearehackerone.com)\n- Navigate to https://acrobat.adobe.com/us/en/ to get started!\n\n**IMPORTANT**  - Document Cloud Adobe Acrobat Web specific out-of-scope:\n* Document Cloud Adobe Sign Web production environment  *.adobesign.com. \n\n# Learning Manager Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Go to https://learningmanager.adobe.com/acapindex.html and authenticate using your credentials. \n\n**IMPORTANT** – Adobe Learning Manager specific out-of-scope:\n- Users with any of these roles - Admin, Integration Admin or Author affecting other users in the same account.\n- Any exploit from a user affecting only themselves.\n- Desktop companion Application.\n- Social engineering using adobe.com links of a trial account due to unverified trial account creation.\n- Exploits related to uploading arbitrary binary file formats by learner.\n\n# Photoshop Web Test Plan\n\nSetup Instructions:\n1. Login to your Adobe account  associated  with your HackerOne username \u003cusername\u003e@wearehackerone.com.\n2. Navigate to https://www.photoshop.adobe.com to get started!\n\n**IMPORTANT**  - Adobe Photoshop Web Out-of-Scope\n* All [Program Exclusions](#user-content-program-exclusions) still apply\n* You will be testing Photoshop Web in PROD. DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* Endpoints owned by 3rd party hosts…\n            * https://*.contentsquare.net\n            * https://*.cookielaw.org\n            * https://*.demdex.net\n            * https://*.doubleclick.net\n            * https://*.google.com\n            * https://*.googleapis.com\n            * https://*.gstatic.com\n            * https://*.newrelic.com\n            * https://*.nr-data.net\n            * https://*.recaptcha.net\n            * etc..\n\n# ColdFusion Test Plan\n\nSetup Instructions: \n1. Download the ColdFusion installer under \"Download Trial Edition\" from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n2.  Download the Lockdown installer under \"Download Adobe ColdFusion(2023 release) Server Auto-Lockdown\"  from here: https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#download0 \n3. Follow the setup instructions for the ColdFusion server ( https://helpx.adobe.com/coldfusion/installing/install-coldfusion-2021-server-configuration.html) and for the Lockdown server (https://helpx.adobe.com/coldfusion/using/server-lockdown.html).\n\nOther ways to install ColdFusion :\n1. Docker - [Docker images for ColdFusion (adobe.com)](https://helpx.adobe.com/coldfusion/using/docker-images-coldfusion.html)\n2. ZIP installer:\n            * https://helpx.adobe.com/in/coldfusion/using/install-coldfusion-2021.html\n            * https://coldfusion.adobe.com/2020/12/coldfusion-2021-install-experience/\n3. Cloud images: \n            * **AWS**\n [AWS Marketplace: Adobe ColdFusion (2023 Release) Windows (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6?sr=0-2\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n[AWS Marketplace: Adobe ColdFusion (2023 Release) Ubuntu Linux (amazon.com)](https://aws.amazon.com/marketplace/pp/prodview-mcobuzblflk6g?sr=0-5\u0026ref_=beagle\u0026applicationId=AWSMPContessa)\n\n            * **Azure**\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023windows?tab=Overview\nhttps://azuremarketplace.microsoft.com/en-us/marketplace/apps/coalescesolutionsllc1649284093713.cf2023linux?tab=Overview\n\n# Program Exclusions\n ---------------------------------------------------------------------------------------------------------\n\nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Mobile app submissions that require the use of rooted or jailbroken devices will not be accepted\n- Mobile app submissions related to Oauth secret leaks are excluded as they are designed in a way to not provide any significant access / damage\n- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery(CSRF)\n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Brute-forcing credentials\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n\n# Disclosure\n\n-----------------------------------------------------------------------------------------------\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Minors\n\n------------------------------------------------------------------------------------------------\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n# Ineligible Participants\n\n-------------------------------------------------------------------------------------------------\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n -------------------------------------------------------------------------------------------------\n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-18T14:53:06.234Z"},{"id":3724199,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Adobe Commerce Guidelines](#user-content-adobe-commerce-guidelines)\n* [Content Authenticity Initiative Test Plan](#user-content-content-authenticity-initiative-test-plan)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Safe Harbor](#user-content-safe-harbor)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n**UPDATE!** We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing quarter, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Tier 1 Scope:\n\n* Adobe Commerce, Adobe Commerce B2B and Magento Open Source\n     * Core software in Magento 2 Commerce, Commerce B2B, and Open Source default configuration \n     * Bundled extensions\n* CAI Content Credentials \n      * https://contentcredentials.org/\n      * C2PA Tool (https://opensource.contentauthenticity.org/docs/c2patool)\n      * C2PA SDKs (Rust - https://github.com/contentauth/c2pa-rs, JavaScript - https://github.com/contentauth/c2pa-js)\n\n\n# Tier 2 Scope:\n\n* account.magento.com\n* accounts.magento.cloud\n* u.magento.com\n* magentolive.com\n* imagine.magento.com\n* marketplace.magento.com\n* repo.magento.com\n* magentocommerce.com\n* magento.com\n\n#Guidelines\nPlease review the following guidelines before submitting your report: \n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\nNOTE: bugs that impact more than one domain will only be eligible for a single bounty payment. Bugs in other Commerce sub-domains are NOT eligible for the program, nor are vulnerabilities in 3rd party web applications not developed by Commerce. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Response Targets\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. DNS-related vulnerabilities (e.g. subdomain takeover) are an exception and should be reported uniquely. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n# Adobe Commerce Guidelines\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n\n# Content Authenticity Initiative Test Plan\n\nContent Authenticity Initiative (CAI) related testing may require you to generate or locate images containing C2PA metadata, also known as Content Credentials. Images can be generated using the c2patool (https://github.com/contentauth/c2patool) located in the Content Authenticity GitHub project. In addition, images with C2PA metadata can be found via several Adobe services. This webpage provides an overview of Content Credential support within different Adobe products and services: https://helpx.adobe.com/creative-cloud/help/content-credentials.html .\n\nExample in-scope vulnerabilities would include:\n\n     * The ability to modify the visual rendering of a C2PA image without invalidating the signature.\n     * Cross-site scripting on the Verify (https://contentcredentials.org/verify) page via injecting malicious content into C2PA metadata.\n     * Traditional source code vulnerabilities in the C2PA SDKs (c2pa-rs and c2pa-js)\n \nExample out-of-scope vulnerabilities would include:\n     * The ability to remove a Content Credential from an image. This is an accepted part of the threat model.\n     * Vulnerabilities in Adobe products or services unrelated to the processing of C2PA metadata or the contentcredentials.org website are out of scope for the Content Authenticity bug bounty.\n \nFurther information and resources can be located here:\nC2PA specification: https://c2pa.org/specifications/specifications/2.0/index.html\nC2PA security testing tool: https://github.com/contentauth/c2pa-attacks\n\n\n# Program Exclusions\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n\n# Disclosure\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n#Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\n# Minors\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n\n#Ineligible Participants\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-26T13:35:45.036Z"},{"id":3723905,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Adobe Commerce Guidelines](#user-content-adobe-commerce-guidelines)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Safe Harbor](#user-content-safe-harbor)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n**UPDATE!** We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing quarter, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Tier 1: Adobe Commerce, Adobe Commerce B2B, and Magento Open Source\n##Scope:\n* Core software in Magento 2 Commerce, Commerce B2B, and Open Source default configuration \n* Bundled extensions\n\n# Tier 2:\n## Scope:\n* account.magento.com\n* accounts.magento.cloud\n* u.magento.com\n* magentolive.com\n* imagine.magento.com\n* marketplace.magento.com\n* repo.magento.com\n* magentocommerce.com\n* magento.com\n\n#Guidelines\nPlease review the following guidelines before submitting your report: \n* DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps.  If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.\n* DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). \n Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* DO NOT submit any cross-site scripting vulnerability unless you can demonstrate exporting meaningful cookies that can be used to impersonate another test user account, then show that you are indeed able to gain access using that cookie. Simply exporting meaningless cookies is not a sufficient demonstration of impact.\n* DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.\n* DO NOT test existing customer environments without explicit permission from the owner. Researchers may perform their testing against their own local installations.\n* DO NOT cause a potential or actual denial of service of Adobe applications and systems.\n* DO NOT use an exploit to view data without authorization or cause corruption of data.\n* DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\nNOTE: bugs that impact more than one domain will only be eligible for a single bounty payment. Bugs in other Commerce sub-domains are NOT eligible for the program, nor are vulnerabilities in 3rd party web applications not developed by Commerce. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Response Targets\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. DNS-related vulnerabilities (e.g. subdomain takeover) are an exception and should be reported uniquely. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n# Adobe Commerce Guidelines\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n\n# Program Exclusions\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n\n# Disclosure\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n#Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\n# Minors\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n\n#Ineligible Participants\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-19T17:21:47.104Z"},{"id":3723789,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Adobe Commerce Guidelines](#user-content-adobe-commerce-guidelines)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Safe Harbor](#user-content-safe-harbor)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n**UPDATE!** We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing quarter, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Tier 1: Adobe Commerce, Adobe Commerce B2B, and Magento Open Source\n##Scope:\n* Core software in Magento 2 Commerce, Commerce B2B, and Open Source default configuration \n* Bundled extensions\n\n# Tier 2:\n## Scope:\n* account.magento.com\n* accounts.magento.cloud\n* u.magento.com\n* magentolive.com\n* imagine.magento.com\n* marketplace.magento.com\n* repo.magento.com\n* magentocommerce.com\n* magento.com\n\nNOTE: bugs that impact more than one domain will only be eligible for a single bounty payment. Bugs in other Commerce sub-domains are NOT eligible for the program, nor are vulnerabilities in 3rd party web applications not developed by Commerce. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Response Targets\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. DNS-related vulnerabilities (e.g. subdomain takeover) are an exception and should be reported uniquely. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n# Adobe Commerce Guidelines\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n\n# Program Exclusions\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n\n# Disclosure\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n#Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\n# Minors\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n\n#Ineligible Participants\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-17T20:52:50.590Z"},{"id":3723308,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Adobe Commerce Guidelines](#user-content-adobe-commerce-guidelines)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Safe Harbor](#user-content-safe-harbor)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n**UPDATE!** We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing quarter, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n#CAI Content Credentials\n*https://contentcredentials.org/verify\n*C2PA Tool (https://opensource.contentauthenticity.org/docs/c2patool)\n\n# Tier 1: Adobe Commerce, Adobe Commerce B2B, and Magento Open Source\n##Scope:\n* Core software in Magento 2 Commerce, Commerce B2B, and Open Source default configuration \n* Bundled extensions\n\n# Tier 2:\n## Scope:\n* account.magento.com\n* accounts.magento.cloud\n* u.magento.com\n* magentolive.com\n* imagine.magento.com\n* marketplace.magento.com\n* repo.magento.com\n* magentocommerce.com\n* magento.com\n\nNOTE: bugs that impact more than one domain will only be eligible for a single bounty payment. Bugs in other Commerce sub-domains are NOT eligible for the program, nor are vulnerabilities in 3rd party web applications not developed by Commerce. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Response Targets\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. DNS-related vulnerabilities (e.g. subdomain takeover) are an exception and should be reported uniquely. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n# Adobe Commerce Guidelines\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n\n# Program Exclusions\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n\n# Disclosure\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n#Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\n# Minors\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n\n#Ineligible Participants\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-11T16:43:58.689Z"},{"id":3723048,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Adobe Commerce Guidelines](#user-content-adobe-commerce-guidelines)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Safe Harbor](#user-content-safe-harbor)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n**UPDATE!** We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing quarter, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Tier 1: Adobe Commerce, Adobe Commerce B2B, and Magento Open Source\n##Scope:\n* Core software in Magento 2 Commerce, Commerce B2B, and Open Source default configuration \n* Bundled extensions\n\n# Tier 2:\n## Scope:\n* account.magento.com\n* accounts.magento.cloud\n* u.magento.com\n* magentolive.com\n* imagine.magento.com\n* marketplace.magento.com\n* repo.magento.com\n* magentocommerce.com\n* magento.com\n\nNOTE: bugs that impact more than one domain will only be eligible for a single bounty payment. Bugs in other Commerce sub-domains are NOT eligible for the program, nor are vulnerabilities in 3rd party web applications not developed by Commerce. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n# Response Targets\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. DNS-related vulnerabilities (e.g. subdomain takeover) are an exception and should be reported uniquely. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n# Adobe Commerce Guidelines\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n\n# Program Exclusions\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n\n# Disclosure\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n#Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\n# Minors\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n\n#Ineligible Participants\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-08T17:48:55.860Z"},{"id":3711697,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Adobe Commerce Guidelines](#user-content-adobe-commerce-guidelines)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Safe Harbor](#user-content-safe-harbor)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n**UPDATE!** We welcome all security researchers, ranging from hobbyists to full-time ethical hackers, to participate in Adobe's **Security Researcher Hall of Fame** initiative. At the end of each testing quarter, our Top 10 researchers will be announced and contacted to choose one of our amazing rewards. Please consult [this page](https://helpx.adobe.com/security/security-researcher-hall-of-fame.html) for more details about this initiative.\n\n# Tier 1: Adobe Commerce, Adobe Commerce B2B, and Magento Open Source\n##Scope:\n* Core software in Magento 2 Commerce, Commerce B2B, and Open Source default configuration \n* Bundled extensions\n\n## Tier 1 Payout Ranges\n\n| Critical (9.0 - 10.0) |   High (7.0 - 8.9)  | Medium (4.0 - 6.9) |  Low (0.1 - 3.9) | \n| --------------------------| -----------------------| ------------------------- | -------------------- | \n|  $5,000 - $10,000   |  $1,000 - $5,000 |     $200 - $1,000     |    $100 - $200   |\n\n###Payout adjustments:\n* ==Tier 1 product vulnerabilities that require admin panel access: $5,000 (maximum)==\n\n# Tier 2:\n## Scope:\n* account.magento.com\n* accounts.magento.cloud\n* u.magento.com\n* magentolive.com\n* imagine.magento.com\n* marketplace.magento.com\n* repo.magento.com\n* magentocommerce.com\n* magento.com\n\n## Tier 2 Payout Ranges\n\n| Critical (9.0 - 10.0) |   High (7.0 - 8.9)  | Medium (4.0 - 6.9) |  Low (0.1 - 3.9) |\n| ------------- | ------------- | ------------- | ------------- | ------------- |\n| $2,500 - $5,000 | $ 500 - $2,500 | $100 - $500 | $100 | \n\n###Payout adjustments:\n* Public repo secret leak: $1,000 (maximum)\n* Reflected XSS: $500 (maximum)\n\nNOTE: bugs that impact more than one domain will only be eligible for a single bounty payment. Bugs in other Commerce sub-domains are NOT eligible for the program, nor are vulnerabilities in 3rd party web applications not developed by Commerce. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n\n\n# Response Targets\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. DNS-related vulnerabilities (e.g. subdomain takeover) are an exception and should be reported uniquely. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n# Adobe Commerce Guidelines\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n\n# Program Exclusions\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n\n# Disclosure\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n#Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\n# Minors\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n\n#Ineligible Participants\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-29T17:37:51.580Z"},{"id":3709045,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Adobe Commerce Guidelines](#user-content-adobe-commerce-guidelines)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Safe Harbor](#user-content-safe-harbor)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Tier 1: Adobe Commerce, Adobe Commerce B2B, and Magento Open Source\n##Scope:\n* Core software in Magento 2 Commerce, Commerce B2B, and Open Source default configuration \n* Bundled extensions\n\n## Tier 1 Payout Ranges\n\n| Critical (9.0 - 10.0) |   High (7.0 - 8.9)  | Medium (4.0 - 6.9) |  Low (0.1 - 3.9) | \n| --------------------------| -----------------------| ------------------------- | -------------------- | \n|  $5,000 - $10,000   |  $1,000 - $5,000 |     $200 - $1,000     |    $100 - $200   |\n\n###Payout adjustments:\n* ==Tier 1 product vulnerabilities that require admin panel access: $5,000 (maximum)==\n\n# Tier 2:\n## Scope:\n* account.magento.com\n* accounts.magento.cloud\n* u.magento.com\n* magentolive.com\n* imagine.magento.com\n* marketplace.magento.com\n* repo.magento.com\n* magentocommerce.com\n* magento.com\n\n## Tier 2 Payout Ranges\n\n| Critical (9.0 - 10.0) |   High (7.0 - 8.9)  | Medium (4.0 - 6.9) |  Low (0.1 - 3.9) |\n| ------------- | ------------- | ------------- | ------------- | ------------- |\n| $2,500 - $5,000 | $ 500 - $2,500 | $100 - $500 | $100 | \n\n###Payout adjustments:\n* Public repo secret leak: $1,000 (maximum)\n* Reflected XSS: $500 (maximum)\n\nNOTE: bugs that impact more than one domain will only be eligible for a single bounty payment. Bugs in other Commerce sub-domains are NOT eligible for the program, nor are vulnerabilities in 3rd party web applications not developed by Commerce. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n\n\n# Response Targets\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. DNS-related vulnerabilities (e.g. subdomain takeover) are an exception and should be reported uniquely. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n# Adobe Commerce Guidelines\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n\n# Program Exclusions\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n- CRX/CRXDE related flaws if you are not able to extract PII information by exploiting this type of AEM misconfiguration\n\n# Disclosure\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n#Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\n# Minors\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n\n#Ineligible Participants\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-12-11T09:39:39.675Z"},{"id":3706020,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Adobe Commerce Guidelines](#user-content-adobe-commerce-guidelines)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Safe Harbor](#user-content-safe-harbor)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Tier 1: Adobe Commerce, Adobe Commerce B2B, and Magento Open Source\n##Scope:\n* Core software in Magento 2 Commerce, Commerce B2B, and Open Source default configuration \n* Bundled extensions\n\n## Tier 1 Payout Ranges\n\n| Critical (9.0 - 10.0) |   High (7.0 - 8.9)  | Medium (4.0 - 6.9) |  Low (0.1 - 3.9) | \n| --------------------------| -----------------------| ------------------------- | -------------------- | \n|  $5,000 - $10,000   |  $1,000 - $5,000 |     $200 - $1,000     |    $100 - $200   |\n\n###Payout adjustments:\n* ==Tier 1 product vulnerabilities that require admin panel access: $5,000 (maximum)==\n\n# Tier 2:\n## Scope:\n* account.magento.com\n* accounts.magento.cloud\n* u.magento.com\n* magentolive.com\n* imagine.magento.com\n* marketplace.magento.com\n* repo.magento.com\n* magentocommerce.com\n* magento.com\n\n## Tier 2 Payout Ranges\n\n| Critical (9.0 - 10.0) |   High (7.0 - 8.9)  | Medium (4.0 - 6.9) |  Low (0.1 - 3.9) |\n| ------------- | ------------- | ------------- | ------------- | ------------- |\n| $2,500 - $5,000 | $ 500 - $2,500 | $100 - $500 | $100 | \n\n###Payout adjustments:\n* Public repo secret leak: $1,000 (maximum)\n* Reflected XSS: $500 (maximum)\n\nNOTE: bugs that impact more than one domain will only be eligible for a single bounty payment. Bugs in other Commerce sub-domains are NOT eligible for the program, nor are vulnerabilities in 3rd party web applications not developed by Commerce. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n\n\n# Response Targets\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://helpx.adobe.com/security/key.html)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. DNS-related vulnerabilities (e.g. subdomain takeover) are an exception and should be reported uniquely. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n# Adobe Commerce Guidelines\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n\n# Program Exclusions\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n\n# Disclosure\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n#Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\n# Minors\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n\n#Ineligible Participants\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-10-27T23:21:28.392Z"},{"id":3705288,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n* [Rewards](#user-content-rewards) \n* [Response Targets](#user-content-response-targets)\n* [Process](#user-content-process)\n* [Eligible Vulnerabilities](#user-content-eligible-vulnerabilities)\n* [Adobe Commerce Guidelines](#user-content-adobe-commerce-guidelines)\n* [Program Exclusions](#user-content-program-exclusions)\n* [Disclosure](#user-content-disclosure)\n* [Safe Harbor](#user-content-safe-harbor)\n* [Minors](#user-content-minors)\n* [Ineligible Participants](#user-content-ineligible-participants)\n* [Terms and Conditions](#user-content-terms-and-conditions)\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Tier 1: Adobe Commerce, Adobe Commerce B2B, and Magento Open Source\n##Scope:\n* Core software in Magento 2 Commerce, Commerce B2B, and Open Source default configuration \n* Bundled extensions\n\n## Tier 1 Payout Ranges\n\n| Critical (9.0 - 10.0) |   High (7.0 - 8.9)  | Medium (4.0 - 6.9) |  Low (0.1 - 3.9) | \n| --------------------------| -----------------------| ------------------------- | -------------------- | \n|  $5,000 - $10,000   |  $1,000 - $5,000 |     $200 - $1,000     |    $100 - $200   |\n\n###Payout adjustments:\n* ==Tier 1 product vulnerabilities that require admin panel access: $5,000 (maximum)==\n\n# Tier 2:\n## Scope:\n* account.magento.com\n* accounts.magento.cloud\n* u.magento.com\n* magentolive.com\n* imagine.magento.com\n* marketplace.magento.com\n* repo.magento.com\n* magentocommerce.com\n* magento.com\n\n## Tier 2 Payout Ranges\n\n| Critical (9.0 - 10.0) |   High (7.0 - 8.9)  | Medium (4.0 - 6.9) |  Low (0.1 - 3.9) |\n| ------------- | ------------- | ------------- | ------------- | ------------- |\n| $2,500 - $5,000 | $ 500 - $2,500 | $100 - $500 | $100 | \n\n###Payout adjustments:\n* Public repo secret leak: $1,000 (maximum)\n* Reflected XSS: $500 (maximum)\n\nNOTE: bugs that impact more than one domain will only be eligible for a single bounty payment. Bugs in other Commerce sub-domains are NOT eligible for the program, nor are vulnerabilities in 3rd party web applications not developed by Commerce. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n\n\n# Response Targets\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://blogs.adobe.com/psirt/?page_id=1498)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. DNS-related vulnerabilities (e.g. subdomain takeover) are an exception and should be reported uniquely. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n# Adobe Commerce Guidelines\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n\n# Program Exclusions\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n\n# Disclosure\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n#Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\n# Minors\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n\n#Ineligible Participants\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-10-16T18:11:22.622Z"},{"id":3699367,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n1. Rewards \n2. Response Targets \n3. Process \n4. Eligible Vulnerabilities \n5. Adobe Commerce Guidelines \n6. Program Exclusions \n7. Disclosure \n8. Safe Harbor\n9. Minors\n10. Ineligible Participants\n11. Terms and Conditions\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Tier 1: Adobe Commerce, Adobe Commerce B2B, and Magento Open Source\n##Scope:\n* Core software in Magento 2 Commerce, Commerce B2B, and Open Source default configuration \n* Bundled extensions\n\n## Tier 1 Payout Ranges\n\n| Critical (9.0 - 10.0) |   High (7.0 - 8.9)  | Medium (4.0 - 6.9) |  Low (0.1 - 3.9) | \n| --------------------------| -----------------------| ------------------------- | -------------------- | \n|  $5,000 - $10,000   |  $1,000 - $5,000 |     $200 - $1,000     |    $100 - $200   |\n\n###Payout adjustments:\n* ==Tier 1 product vulnerabilities that require admin panel access: $5,000 (maximum)==\n\n# Tier 2:\n## Scope:\n* account.magento.com\n* accounts.magento.cloud\n* u.magento.com\n* magentolive.com\n* imagine.magento.com\n* marketplace.magento.com\n* repo.magento.com\n* magentocommerce.com\n* magento.com\n\n## Tier 2 Payout Ranges\n\n| Critical (9.0 - 10.0) |   High (7.0 - 8.9)  | Medium (4.0 - 6.9) |  Low (0.1 - 3.9) |\n| ------------- | ------------- | ------------- | ------------- | ------------- |\n| $2,500 - $5,000 | $ 500 - $2,500 | $100 - $500 | $100 | \n\n###Payout adjustments:\n* Public repo secret leak: $1,000 (maximum)\n* Reflected XSS: $500 (maximum)\n\nNOTE: bugs that impact more than one domain will only be eligible for a single bounty payment. Bugs in other Commerce sub-domains are NOT eligible for the program, nor are vulnerabilities in 3rd party web applications not developed by Commerce. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n\n\n# Response Targets\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://blogs.adobe.com/psirt/?page_id=1498)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. DNS-related vulnerabilities (e.g. subdomain takeover) are an exception and should be reported uniquely. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n# Adobe Commerce Guidelines\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n\n# Program Exclusions\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n- Submissions claiming NPM package confusion/takeover should include proof that the system(s) downloading the malicious NPM package belong to Adobe.\n\n# Disclosure\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n#Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\n# Minors\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n\n#Ineligible Participants\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-02T20:21:08.078Z"},{"id":3678393,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.\n\n*At the time of report submission, Adobe will request your “testing IP address”. By providing your testing IP address, this will allow Adobe to conduct expedited incident response investigations by ruling your traffic out from valid adversary traffic. This will also help ensure your testing traffic is not blocked/interrupted while bug hunting.*\n\n*In order to receive a monetary bug bounty payout (when applicable), you must provide your Testing IP address. This information is also required in order to fall within Adobe’s Safe Harbor policy.*\n\n*Note: you always have the ability, at any time, to request Adobe remove your IP address data. If you need this data expunged, please reach out to PSIRT@adobe.com*\n\n## Table of Contents\n1. Rewards \n2. Response Targets \n3. Process \n4. Eligible Vulnerabilities \n5. Adobe Commerce Guidelines \n6. Program Exclusions \n7. Disclosure \n8. Safe Harbor\n9. Minors\n10. Ineligible Participants\n11. Terms and Conditions\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Tier 1: Adobe Commerce, Adobe Commerce B2B, and Magento Open Source\n##Scope:\n* Core software in Magento 2 Commerce, Commerce B2B, and Open Source default configuration \n* Bundled extensions\n\n## Tier 1 Payout Ranges\n\n| Critical (9.0 - 10.0) |   High (7.0 - 8.9)  | Medium (4.0 - 6.9) |  Low (0.1 - 3.9) | \n| --------------------------| -----------------------| ------------------------- | -------------------- | \n|  $5,000 - $10,000   |  $1,000 - $5,000 |     $200 - $1,000     |    $100 - $200   |\n\n###Payout adjustments:\n* ==Tier 1 product vulnerabilities that require admin panel access: $5,000 (maximum)==\n\n# Tier 2:\n## Scope:\n* account.magento.com\n* accounts.magento.cloud\n* u.magento.com\n* magentolive.com\n* imagine.magento.com\n* marketplace.magento.com\n* repo.magento.com\n* magentocommerce.com\n* magento.com\n\n## Tier 2 Payout Ranges\n\n| Critical (9.0 - 10.0) |   High (7.0 - 8.9)  | Medium (4.0 - 6.9) |  Low (0.1 - 3.9) |\n| ------------- | ------------- | ------------- | ------------- | ------------- |\n| $2,500 - $5,000 | $ 500 - $2,500 | $100 - $500 | $100 | \n\n###Payout adjustments:\n* Public repo secret leak: $1,000 (maximum)\n* Reflected XSS: $500 (maximum)\n\nNOTE: bugs that impact more than one domain will only be eligible for a single bounty payment. Bugs in other Commerce sub-domains are NOT eligible for the program, nor are vulnerabilities in 3rd party web applications not developed by Commerce. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n\n\n# Response Targets\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://blogs.adobe.com/psirt/?page_id=1498)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. DNS-related vulnerabilities (e.g. subdomain takeover) are an exception and should be reported uniquely. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n# Adobe Commerce Guidelines\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n\n# Program Exclusions\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n\n# Disclosure\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n#Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\n# Minors\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n\n#Ineligible Participants\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-10-10T22:20:16.014Z"},{"id":3667652,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report. \n\n## Table of Contents\n1. Rewards \n2. Response Targets \n3. Process \n4. Eligible Vulnerabilities \n5. Adobe Commerce Guidelines \n6. Program Exclusions \n7. Disclosure \n8. Safe Harbor\n9. Minors\n10. Ineligible Participants\n11. Terms and Conditions\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Tier 1: Adobe Commerce, Adobe Commerce B2B, and Magento Open Source\n##Scope:\n* Core software in Magento 2 Commerce, Commerce B2B, and Open Source default configuration \n* Bundled extensions\n\n## Tier 1 Payout Ranges\n\n| Critical (9.0 - 10.0) |   High (7.0 - 8.9)  | Medium (4.0 - 6.9) |  Low (0.1 - 3.9) | \n| --------------------------| -----------------------| ------------------------- | -------------------- | \n|  $5,000 - $10,000   |  $1,000 - $5,000 |     $200 - $1,000     |    $100 - $200   |\n\n###Payout adjustments:\n* ==Tier 1 product vulnerabilities that require admin panel access: $5,000 (maximum)==\n\n# Tier 2:\n## Scope:\n* account.magento.com\n* accounts.magento.cloud\n* u.magento.com\n* magentolive.com\n* imagine.magento.com\n* marketplace.magento.com\n* repo.magento.com\n* magentocommerce.com\n* magento.com\n\n## Tier 2 Payout Ranges\n\n| Critical (9.0 - 10.0) |   High (7.0 - 8.9)  | Medium (4.0 - 6.9) |  Low (0.1 - 3.9) |\n| ------------- | ------------- | ------------- | ------------- | ------------- |\n| $2,500 - $5,000 | $ 500 - $2,500 | $100 - $500 | $100 | \n\n###Payout adjustments:\n* Public repo secret leak: $1,000 (maximum)\n* Reflected XSS: $500 (maximum)\n\nNOTE: bugs that impact more than one domain will only be eligible for a single bounty payment. Bugs in other Commerce sub-domains are NOT eligible for the program, nor are vulnerabilities in 3rd party web applications not developed by Commerce. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n\n\n# Response Targets\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://blogs.adobe.com/psirt/?page_id=1498)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. DNS-related vulnerabilities (e.g. subdomain takeover) are an exception and should be reported uniquely. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n# Adobe Commerce Guidelines\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n\n# Program Exclusions\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n\n# Disclosure\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n#Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\n# Minors\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n\n#Ineligible Participants\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-03-05T09:49:40.199Z"},{"id":3657457,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report. \n\n## Table of Contents\n1. Rewards \n2. Response Targets \n3. Process \n4. Eligible Vulnerabilities \n5. Adobe Commerce Guidelines \n6. Program Exclusions \n7. Disclosure \n8. Safe Harbor\n9. Minors\n10. Ineligible Participants\n11. Terms and Conditions\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Magento. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Tier 1: Adobe Commerce, Adobe Commerce B2B, and Magento Open Source\n##Scope:\n* Core software in Magento 2 Commerce, Commerce B2B, and Open Source default configuration \n* Bundled extensions\n\n## Tier 1 Payout Ranges\n\n| Critical (9.0 - 10.0) |   High (7.0 - 8.9)  | Medium (4.0 - 6.9) |  Low (0.1 - 3.9) | \n| --------------------------| -----------------------| ------------------------- | -------------------- | \n|  $5,000 - $10,000   |  $1,000 - $5,000 |     $200 - $1,000     |    $100 - $200   |\n\n###Payout adjustments:\n* ==Tier 1 product vulnerabilities that require admin panel access: $5,000 (maximum)==\n\n# Tier 2:\n## Scope:\n* account.magento.com\n* accounts.magento.cloud\n* u.magento.com\n* magentolive.com\n* imagine.magento.com\n* marketplace.magento.com\n* repo.magento.com\n* magentocommerce.com\n* magento.com\n\n## Tier 2 Payout Ranges\n\n| Critical (9.0 - 10.0) |   High (7.0 - 8.9)  | Medium (4.0 - 6.9) |  Low (0.1 - 3.9) |\n| ------------- | ------------- | ------------- | ------------- | ------------- |\n| $2,500 - $5,000 | $ 500 - $2,500 | $100 - $500 | $100 | \n\n###Payout adjustments:\n* Public repo secret leak: $1,000 (maximum)\n* Reflected XSS: $500 (maximum)\n\nNOTE: bugs that impact more than one domain will only be eligible for a single bounty payment. Bugs in other Commerce sub-domains are NOT eligible for the program, nor are vulnerabilities in 3rd party web applications not developed by Commerce. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n\n\n# Response Targets\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://blogs.adobe.com/psirt/?page_id=1498)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. DNS-related vulnerabilities (e.g. subdomain takeover) are an exception and should be reported uniquely. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n# Adobe Commerce Guidelines\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n\n# Program Exclusions\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n\n# Disclosure\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n#Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\n# Minors\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n\n#Ineligible Participants\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-08-26T15:13:14.697Z"},{"id":3657421,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report. \n\n## Table of Contents\n1. Rewards \n2. Response Targets \n3. Process \n4. Eligible Vulnerabilities \n5. Adobe Commerce Guidelines \n6. Program Exclusions \n7. Disclosure \n8. Safe Harbor\n9. Minors\n10. Ineligible Participants\n11. Terms and Conditions\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Magento. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Tier 1: Adobe Commerce, Adobe Commerce B2B, and Magento Open Source.\n##Scope:\n* Core software in Magento 2 Commerce, Commerce B2B, and Open Source default configuration \n* Bundled extensions\n\n## Tier 1 Payout Ranges\n\n| Critical (9.0 - 10.0) |   High (7.0 - 8.9)  | Medium (4.0 - 6.9) |  Low (0.1 - 3.9) | \n| --------------------------| -----------------------| ------------------------- | -------------------- | \n|  $5,000 - $10,000   |  $1,000 - $5,000 |     $200 - $1,000     |    $100 - $200   |\n\n###Payout adjustments:\n* ==Tier 1 product vulnerabilities that require admin panel access: $5,000 (maximum)==\n\n# Tier 2:\n## Scope:\n* account.magento.com\n* accounts.magento.cloud\n* u.magento.com\n* magentolive.com\n* imagine.magento.com\n* marketplace.magento.com\n* repo.magento.com\n* magentocommerce.com\n* magento.com\n\n## Tier 2 Payout Ranges\n\n| Critical (9.0 - 10.0) |   High (7.0 - 8.9)  | Medium (4.0 - 6.9) |  Low (0.1 - 3.9) |\n| ------------- | ------------- | ------------- | ------------- | ------------- |\n| $2,500 - $5,000 | $ 500 - $2,500 | $100 - $500 | $100 | \n\n###Payout adjustments:\n* Public repo secret leak: $1,000 (maximum)\n* Reflected XSS: $500 (maximum)\n\nNOTE: bugs that impact more than one domain will only be eligible for a single bounty payment. Bugs in other Commerce sub-domains are NOT eligible for the program, nor are vulnerabilities in 3rd party web applications not developed by Commerce. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n\n\n# Response Targets\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://blogs.adobe.com/psirt/?page_id=1498)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. DNS-related vulnerabilities (e.g. subdomain takeover) are an exception and should be reported uniquely. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n# Adobe Commerce Guidelines\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n\n# Program Exclusions\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n\n# Disclosure\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n#Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\n# Minors\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n\n#Ineligible Participants\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-08-25T21:30:43.191Z"},{"id":3657420,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report. \n\n## Table of Contents\n1. Rewards \n2. Response Targets \n3. Process \n4. Eligible Vulnerabilities \n5. Adobe Commerce Guidelines \n6. Program Exclusions \n7. Disclosure \n8. Safe Harbor\n9. Minors\n10. Ineligible Participants\n11. Terms and Conditions\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Magento. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Tier 1: Adobe Commerce, Adobe Commerce B2B, and Magento Open Source.\n##Scope:\n* Core software in Magento 2 Commerce, Commerce B2B, and Open Source default configuration \n* Bundled extensions\n\n## Tier 1 Payout Ranges\n\n| Critical (9.0 - 10.0) |   High (7.0 - 8.9)  | Medium (4.0 - 6.9) |  Low (0.1 - 3.9) | \n| --------------------------| -----------------------| ------------------------- | -------------------- | \n|  $5,000 - $10,000   |  $1,000 - $5,000 |     $200 - $1,000     |    $100 - $200   |\n\n###Payout adjustments:\n* ==Tier 1 product vulnerabilities that require admin panel access: $5,000 (maximum)==\n\n# Tier 2:\n## Scope:\n* account.magento.com\n* accounts.magento.cloud\n* u.magento.com\n* magentolive.com\n* imagine.magento.com\n* marketplace.magento.com\n* repo.magento.com\n* magentocommerce.com\n* magento.com\n\n## Tier 2 Payout Ranges\n\n| Critical  | High | Medium | Low |\n| ------------- | ------------- | ------------- | ------------- | ------------- |\n| $2,500 - $5,000 | $ 500 - $2,500 | $100 - $500 | $100 | \n\n###Payout adjustments:\n* Public repo secret leak: $1,000 (maximum)\n* Reflected XSS: $500 (maximum)\n\nNOTE: bugs that impact more than one domain will only be eligible for a single bounty payment. Bugs in other Commerce sub-domains are NOT eligible for the program, nor are vulnerabilities in 3rd party web applications not developed by Commerce. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n\n\n# Response Targets\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://blogs.adobe.com/psirt/?page_id=1498)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. DNS-related vulnerabilities (e.g. subdomain takeover) are an exception and should be reported uniquely. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n# Adobe Commerce Guidelines\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n\n# Program Exclusions\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n\n# Disclosure\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n#Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\n# Minors\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n\n#Ineligible Participants\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-08-25T21:28:57.887Z"},{"id":3657419,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\nResearchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report. \n\n## Table of Contents\n1. Rewards \n2. Response Targets \n3. Process \n4. Eligible Vulnerabilities \n5. Adobe Commerce Guidelines \n6. Program Exclusions \n7. Disclosure \n8. Safe Harbor\n9. Minors\n10. Ineligible Participants\n11. Terms and Conditions\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Magento. Adjustments to the bounty payout ranges are noted below each tier’s payout table.  \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.  If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.\n\n# Tier 1:Magento 2 Commerce, Commerce B2B, and Open Source\nScope:\n* Core software in Magento 2 Commerce, Commerce B2B, and Open Source default configuration \n* Bundled extensions\n\n## Tier 1 Payout Ranges\n\n| Critical (9.0 - 10.0) |   High (7.0 - 8.9)  | Medium (4.0 - 6.9) |  Low (0.1 - 3.9) | \n| --------------------------| -----------------------| ------------------------- | -------------------- | \n|  $5,000 - $10,000   |  $1,000 - $5,000 |     $200 - $1,000     |    $100 - $200   |\n\n###Payout adjustments:\n* ==Tier 1 product vulnerabilities that require admin panel access: $5,000 (maximum)==\n\n# Tier 2:\n\n## Scope:\n* account.magento.com\n* accounts.magento.cloud\n* u.magento.com\n* magentolive.com\n* imagine.magento.com\n* marketplace.magento.com\n* repo.magento.com\n* magentocommerce.com\n* magento.com\n\n## Tier 2 Payout Ranges\n\n| Critical  | High | Medium | Low |\n| ------------- | ------------- | ------------- | ------------- | ------------- |\n| $2,500 - $5,000 | $ 500 - $2,500 | $100 - $500 | $100 | \n\n###Payout adjustments:\n* Public repo secret leak: $1,000 (maximum)\n* Reflected XSS: $500 (maximum)\n\nNOTE: bugs that impact more than one domain will only be eligible for a single bounty payment. Bugs in other Commerce sub-domains are NOT eligible for the program, nor are vulnerabilities in 3rd party web applications not developed by Commerce. \n\nNOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.  \n\n\n\n# Response Targets\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://blogs.adobe.com/psirt/?page_id=1498)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. DNS-related vulnerabilities (e.g. subdomain takeover) are an exception and should be reported uniquely. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n# Adobe Commerce Guidelines\n\nPlease review the following guidelines before submitting your report: \n\n- DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here. \n- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward. \n- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques. \n- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations. \n- DO NOT cause a potential or actual denial of service of Magento applications and systems. \n- DO NOT use an exploit to view data without authorization or cause corruption of data. \n- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n\n# Program Exclusions\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- Missing best practices in SSL/TLS configuration. \n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure \n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Methods to extend product trial periods. \n- Comma Separated Values (CSV) injection without demonstrating a vulnerability. \n- Vulnerabilities in custom code developed by merchants / 3rd parties. \n- Vulnerabilities in 3rd party extensions or available from the extension market. \n- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL. \n- Attacks requiring MITM or physical access to a user's device. \n- Vulnerabilities that require disabling security features enabled in default configurations.  \n\n# Disclosure\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n#Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\n# Minors\nMinors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty. \n\n\n#Ineligible Participants\nThis program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria. \n\n# Terms and Conditions\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-08-25T21:17:42.966Z"},{"id":3656112,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers.  To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\n## Table of Contents\n1. Response Targets\n2. Process\n3. Eligible Vulnerabilities\n4. Program Exclusions\n5. Disclosure \n6. Safe Harbor \n7. Terms and Conditions\n\n# Response Targets\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://blogs.adobe.com/psirt/?page_id=1498)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. DNS-related vulnerabilities (e.g. subdomain takeover) are an exception and should be reported uniquely. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n# Program Exclusions\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- SSL/TLS best practices\n- Clickjacking/UI redressing with no practical security impact\n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Methods to extend product trial periods. \n\n# Disclosure\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Rewards\nThis program does not provide monetary rewards for bug submissions.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\n# Terms and Conditions\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-08-03T22:12:02.432Z"},{"id":3651675,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers.  To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\n## Table of Contents\n1. Response Targets\n2. Process\n3. Eligible Vulnerabilities\n4. Program Exclusions\n5. Disclosure \n6. Safe Harbor \n7. Terms and Conditions\n\n# Response Targets\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://blogs.adobe.com/psirt/?page_id=1498)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. DNS-related vulnerabilities (e.g. subdomain takeover) are an exception and should be reported uniquely. \n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n# Program Exclusions\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- SSL/TLS best practices\n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure\n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Methods to extend product trial periods. \n\n# Disclosure\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Rewards\nThis program does not provide monetary rewards for bug submissions.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\n# Terms and Conditions\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-04-28T18:02:00.264Z"},{"id":3642872,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers.  To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\n## Table of Contents\n1. Response Targets\n2. Process\n3. Eligible Vulnerabilities\n4. Program Exclusions\n5. Disclosure \n6. Safe Harbor \n7. Terms and Conditions\n\n# Response Targets\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://blogs.adobe.com/psirt/?page_id=1498)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report.\n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n# Program Exclusions\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- SSL/TLS best practices\n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure\n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Methods to extend product trial periods. \n\n# Disclosure\nIn the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Rewards\nThis program does not provide monetary rewards for bug submissions.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\n# Terms and Conditions\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-09-25T21:46:27.711Z"},{"id":3642871,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers.  To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\n## Table of Contents\n1. Response Targets\n2. Process\n3. Eligible Vulnerabilities\n4. Program Exclusions\n5. Disclosure \n6. Safe Harbor \n7. Terms and Conditions\n\n# Response Targets\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://blogs.adobe.com/psirt/?page_id=1498)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report.\n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n# Program Exclusions\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- SSL/TLS best practices\n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure\n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Methods to extend product trial periods. \n\n# Disclosure\n* In the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities.  To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.\n\n# Rewards\n* This program does not provide monetary rewards for bug submissions.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\n# Terms and Conditions\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-09-25T21:45:40.257Z"},{"id":3642410,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers.  To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\n## Table of Contents\n1. Response Targets\n2. Process\n3. Eligible Vulnerabilities\n4. Program Exclusions\n5. Disclosure \n6. Safe Harbor \n7. Terms and Conditions\n\n# Response Targets\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://blogs.adobe.com/psirt/?page_id=1498)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report.\n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n# Program Exclusions\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- SSL/TLS best practices\n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure\n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Methods to extend product trial periods. \n\n# Disclosure\n* Disclosure requests will be reviewed on a case by case basis with the interests of the security community and users in mind. \n\n# Rewards\n* This program does not provide monetary rewards for bug submissions.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\n# Terms and Conditions\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-09-14T22:04:16.352Z"},{"id":3642408,"new_policy":"Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers.  To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible. \n\n## Table of Contents\n1. Response Targets\n2. Process\n3. Eligible Vulnerabilities\n4. Program Exclusions\n5. Disclosure \n6. Safe Harbor \n7. Terms and Conditions\n\n# Response Targets\nAdobe makes every effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days | \n|----------|--------------------|\n|  First Response | 1 day | \n| Time to Triage   | 2 days |\n|  Time to Resolution   | dependent on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Process\nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  \n \n*  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.\n*  Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.  We encourage you to use PGP encryption ([key here](https://blogs.adobe.com/psirt/?page_id=1498)). \n*  If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report.\n*  When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. \n \n \n# Eligible Vulnerabilities\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n# Program Exclusions\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)\n- Missing HTTP security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- SSL/TLS best practices\n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure\n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Methods to extend product trial periods. \n- We are aware that the public code repo available at [https://repo.adobe.com/nexus/content/*] is exposed.  This is expected behavior, and we do not consider it a security vulnerability. \n- We are aware that anonymous FTP service is available for ftp.adobe.com.  This server is available for general distribution of various publicly available assets.\n\n# Disclosure\n* Disclosure requests will be reviewed on a case by case basis with the interests of the security community and users in mind. \n\n# Rewards\n* This program does not provide monetary rewards for bug submissions.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\n# Terms and Conditions\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n-  When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n-  Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n-  Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n-  Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n- Please do not test for spam, social engineering, or denial of service issues. \n- Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.\n- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.\n- Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-09-14T20:56:38.178Z"},{"id":3641652,"new_policy":"**Guidelines**\n \nThis disclosure program is limited to security vulnerabilities in web applications owned by Adobe.  This program does not provide monetary rewards for bug submissions. \n\nAll vulnerabilities affecting Adobe desktop products (ex. Flash Player and Adobe Reader), or enterprise on-premise solutions should be reported via email to the Product Security Incident Response Team [PSIRT@adobe.com] (PGP key available [here](https://blogs.adobe.com/psirt/?page_id=1498)).   \n \n**Eligible Vulnerabilities**\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability and provide us a reasonable amount of time to remediate before publicly disclosing.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n**Program Exclusions**\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable in reflected, stored or DOM-based types]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing oauth tokens)\n- Missing http security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- SSL/TLS best practices\n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure\n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Methods to extend product trial periods. \n- We are aware that the public code repo available at [https://repo.adobe.com/nexus/content/*] is exposed.  This is expected behavior, and we do not consider it a security vulnerability. \n- We are aware that anonymous ftp service is available for ftp.adobe.com.  This server is available for general distribution of various publicly available assets.\n\n**Process**\n \nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  Providing clear and concise steps to reproduce the issue will help to expedite the response.   \n- When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.\n- If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report.\n- When duplicates occur, we consider the first report that was received to be treated as unique and subsequent reports will be marked as a duplicate. \n\n**Terms and Conditions**\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please do not test for spam, social engineering, or denial of service issues. \n- Your testing must not violate any law, or disrupt or compromise any data that is not your own. \n- Please contact PSIRT@adobe.com to report security incidents such as customer data leakage or breach of infrastructure.  \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-08-24T20:06:02.529Z"},{"id":3639272,"new_policy":"**Guidelines**\n \nThis disclosure program is limited to security vulnerabilities in web applications owned by Adobe.  This program does not provide monetary rewards for bug submissions. \n\nAll vulnerabilities affecting Adobe desktop products (ex. Flash Player and Adobe Reader), or enterprise on-premise solutions should be reported via email to the Product Security Incident Response Team [PSIRT@adobe.com] (PGP key available [here](https://blogs.adobe.com/psirt/?page_id=1498)).   \n \n**Eligible Vulnerabilities**\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration (please follow [best practice](https://www.hackerone.com/blog/Guide-Subdomain-Takeovers) when reporting subdomain takeovers)\n \nTo receive credit, you must be the first reporter of a vulnerability and provide us a reasonable amount of time to remediate before publicly disclosing.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n**Program Exclusions**\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable in reflected, stored or DOM-based types]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing oauth tokens)\n- Missing http security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- SSL/TLS best practices\n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure\n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Methods to extend product trial periods. \n- We are aware that the public code repo available at [https://repo.adobe.com/nexus/content/*] is exposed.  This is expected behavior, and we do not consider it a security vulnerability. \n- We are aware that anonymous ftp service is available for ftp.adobe.com.  This server is available for general distribution of various publicly available assets.\n\n\n \n**Process**\n \nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  Providing clear and concise steps to reproduce the issue will help to expedite the response.   \n \n**Terms and Conditions**\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please do not test for spam, social engineering or denial of service issues. \n- Your testing must not violate any law, or disrupt or compromise any data that is not your own. \n- Please contact PSIRT@adobe.com to report security incidents such as customer data leakage or breach of infrastructure.  \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-07T00:04:20.060Z"},{"id":3621795,"new_policy":"**Guidelines**\n \nThis disclosure program is limited to security vulnerabilities in web applications owned by Adobe.  This program does not provide monetary rewards for bug submissions. \n\nAll vulnerabilities affecting Adobe desktop products (ex. Flash Player and Adobe Reader), or enterprise on-premise solutions should be reported via email to the Product Security Incident Response Team [PSIRT@adobe.com] (PGP key available [here](https://blogs.adobe.com/psirt/?page_id=1498)).   \n \n**Eligible Vulnerabilities**\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration\n \nTo receive credit, you must be the first reporter of a vulnerability and provide us a reasonable amount of time to remediate before publicly disclosing.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n**Program Exclusions**\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable in reflected, stored or DOM-based types]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing oauth tokens)\n- Missing http security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- SSL/TLS best practices\n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure\n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Methods to extend product trial periods. \n- We are aware that the public code repo available at [https://repo.adobe.com/nexus/content/*] is exposed.  This is expected behavior, and we do not consider it a security vulnerability. \n- We are aware that anonymous ftp service is available for ftp.adobe.com.  This server is available for general distribution of various publicly available assets.\n\n\n \n**Process**\n \nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  Providing clear and concise steps to reproduce the issue will help to expedite the response.   \n \n**Terms and Conditions**\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please do not test for spam, social engineering or denial of service issues. \n- Your testing must not violate any law, or disrupt or compromise any data that is not your own. \n- Please contact PSIRT@adobe.com to report security incidents such as customer data leakage or breach of infrastructure.  \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-10-21T15:23:42.626Z"},{"id":3572788,"new_policy":"**Guidelines**\n \nThis disclosure program is limited to security vulnerabilities in web applications owned by Adobe.  This program does not provide monetary rewards for bug submissions. \n\nAll vulnerabilities affecting Adobe desktop products (ex. Flash Player and Adobe Reader), or enterprise on-premise solutions should be reported via email to the Product Security Incident Response Team [PSIRT@adobe.com] (PGP key available [here](http://blogs.adobe.com/psirt/?page_id=1498)).   \n \n**Eligible Vulnerabilities**\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration\n \nTo receive credit, you must be the first reporter of a vulnerability and provide us a reasonable amount of time to remediate before publicly disclosing.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n**Program Exclusions**\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable in reflected, stored or DOM-based types]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Cross-site tracing (XST)\n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing oauth tokens)\n- Missing http security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- SSL/TLS best practices\n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure\n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Methods to extend product trial periods. \n- We are aware that the public code repo available at [https://repo.adobe.com/nexus/content/*] is exposed.  This is expected behavior, and we do not consider it a security vulnerability. \n- We are aware that anonymous ftp service is available for ftp.adobe.com.  This server is available for general distribution of various publicly available assets.\n\n\n \n**Process**\n \nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  Providing clear and concise steps to reproduce the issue will help to expedite the response.   \n \n**Terms and Conditions**\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please do not test for spam, social engineering or denial of service issues. \n- Your testing must not violate any law, or disrupt or compromise any data that is not your own. \n- Please contact PSIRT@adobe.com to report security incidents such as customer data leakage or breach of infrastructure.  \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-04-02T16:37:09.465Z"},{"id":3567963,"new_policy":"**Guidelines**\n \nThis disclosure program is limited to security vulnerabilities in web applications owned by Adobe.  This program does not provide monetary rewards for bug submissions. \n\nAll vulnerabilities affecting Adobe desktop products (ex. Flash Player and Adobe Reader), or enterprise on-premise solutions should be reported via email to the Product Security Incident Response Team [PSIRT@adobe.com] (PGP key available [here](http://blogs.adobe.com/psirt/?page_id=1498)).   \n \n**Eligible Vulnerabilities**\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration\n \nTo receive credit, you must be the first reporter of a vulnerability and provide us a reasonable amount of time to remediate before publicly disclosing.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n**Program Exclusions**\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable in reflected, stored or DOM-based types]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing oauth tokens)\n- Missing http security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- SSL/TLS best practices\n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure\n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Methods to extend product trial periods. \n- We are aware that the public code repo available at [https://repo.adobe.com/nexus/content/*] is exposed.  This is expected behavior, and we do not consider it a security vulnerability. \n- We are aware that anonymous ftp service is available for ftp.adobe.com.  This server is available for general distribution of various publicly available assets.\n\n\n \n**Process**\n \nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  Providing clear and concise steps to reproduce the issue will help to expedite the response.   \n \n**Terms and Conditions**\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please do not test for spam, social engineering or denial of service issues. \n- Your testing must not violate any law, or disrupt or compromise any data that is not your own. \n- Please contact PSIRT@adobe.com to report security incidents such as customer data leakage or breach of infrastructure.  \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-01-31T18:07:17.286Z"},{"id":3567500,"new_policy":"**Guidelines**\n \nThis disclosure program is limited to security vulnerabilities in web applications owned by Adobe.  This program does not provide monetary rewards for bug submissions. \n\nAll vulnerabilities affecting Adobe desktop products (ex. Flash Player and Adobe Reader), or enterprise on-premise solutions should be reported via email to the Product Security Incident Response Team [PSIRT@adobe.com] (PGP key available [here](http://blogs.adobe.com/psirt/?page_id=1498)).   \n \n**Eligible Vulnerabilities**\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration\n \nTo receive credit, you must be the first reporter of a vulnerability and provide us a reasonable amount of time to remediate before publicly disclosing.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n**Program Exclusions**\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable in reflected, stored or DOM-based types]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing oauth tokens)\n- Missing http security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- SSL/TLS best practices\n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure\n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- Methods to extend product trial periods. \n- We are aware that the public code repo available at [https://repo.adobe.com/nexus/content/*] is exposed.  This is expected behavior, and we do not consider it a security vulnerability. \n\n \n**Process**\n \nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  Providing clear and concise steps to reproduce the issue will help to expedite the response.   \n \n**Terms and Conditions**\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please do not test for spam, social engineering or denial of service issues. \n- Your testing must not violate any law, or disrupt or compromise any data that is not your own. \n- Please contact PSIRT@adobe.com to report security incidents such as customer data leakage or breach of infrastructure.  \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-01-25T19:16:17.587Z"},{"id":3561784,"new_policy":"**Guidelines**\n \nThis disclosure program is limited to security vulnerabilities in web applications owned by Adobe.  This program does not provide monetary rewards for bug submissions. \n\nAll vulnerabilities affecting Adobe desktop products (ex. Flash Player and Adobe Reader), or enterprise on-premise solutions should be reported via email to the Product Security Incident Response Team [PSIRT@adobe.com] (PGP key available [here](http://blogs.adobe.com/psirt/?page_id=1498)).   \n \n**Eligible Vulnerabilities**\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration\n \nTo receive credit, you must be the first reporter of a vulnerability and provide us a reasonable amount of time to remediate before publicly disclosing.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n**Program Exclusions**\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable in reflected, stored or DOM-based types]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing oauth tokens)\n- Missing http security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- SSL/TLS best practices\n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure\n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- We are aware that the public code repo available at [https://repo.adobe.com/nexus/content/*] is exposed.  This is expected behavior, and we do not consider it a security vulnerability. \n\n \n**Process**\n \nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  Providing clear and concise steps to reproduce the issue will help to expedite the response.   \n \n**Terms and Conditions**\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please do not test for spam, social engineering or denial of service issues. \n- Your testing must not violate any law, or disrupt or compromise any data that is not your own. \n- Please contact PSIRT@adobe.com to report security incidents such as customer data leakage or breach of infrastructure.  \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-10-17T22:36:46.984Z"},{"id":3561199,"new_policy":"**Guidelines**\n \nThis disclosure program is limited to security vulnerabilities in web applications owned by Adobe.  This program does not provide monetary rewards for bug submissions. \n\nAll vulnerabilities affecting Adobe desktop products (ex. Flash Player and Adobe Reader), or enterprise on-premise solutions should be reported via email to the Product Security Incident Response Team [PSIRT@adobe.com] (PGP key available [here](http://blogs.adobe.com/psirt/?page_id=1498)).   \n \n**Eligible Vulnerabilities**\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration\n \nTo receive credit, you must be the first reporter of a vulnerability and provide us a reasonable amount of time to remediate before publicly disclosing.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n**Program Exclusions**\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable in reflected, stored or DOM-based types]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Missing http security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- SSL/TLS best practices\n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure\n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- We are aware that the public code repo available at [https://repo.adobe.com/nexus/content/*] is exposed.  This is expected behavior, and we do not consider it a security vulnerability. \n\n \n**Process**\n \nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  Providing clear and concise steps to reproduce the issue will help to expedite the response.   \n \n**Terms and Conditions**\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please do not test for spam, social engineering or denial of service issues. \n- Your testing must not violate any law, or disrupt or compromise any data that is not your own. \n- Please contact PSIRT@adobe.com to report security incidents such as customer data leakage or breach of infrastructure.  \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-10-03T18:24:31.528Z"},{"id":3555093,"new_policy":"**Guidelines**\n \nThis disclosure program is limited to security vulnerabilities in web applications owned by Adobe.  This program does not provide monetary rewards for bug submissions. \n\nAll vulnerabilities affecting Adobe desktop products (ex. Flash Player and Adobe Reader), or enterprise on-premise solutions should be reported via email to the Product Security Incident Response Team [PSIRT@adobe.com] (PGP key available [here](http://blogs.adobe.com/psirt/?page_id=146/)).   \n \n**Eligible Vulnerabilities**\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration\n \nTo receive credit, you must be the first reporter of a vulnerability and provide us a reasonable amount of time to remediate before publicly disclosing.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n**Program Exclusions**\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable in reflected, stored or DOM-based types]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Missing http security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- SSL/TLS best practices\n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure\n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- We are aware that the public code repo available at [https://repo.adobe.com/nexus/content/*] is exposed.  This is expected behavior, and we do not consider it a security vulnerability. \n\n \n**Process**\n \nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  Providing clear and concise steps to reproduce the issue will help to expedite the response.   \n \n**Terms and Conditions**\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please do not test for spam, social engineering or denial of service issues. \n- Your testing must not violate any law, or disrupt or compromise any data that is not your own. \n- Please contact PSIRT@adobe.com to report security incidents such as customer data leakage or breach of infrastructure.  \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-06-05T21:49:56.892Z"},{"id":3551285,"new_policy":"**Guidelines**\n \nThis disclosure program is limited to security vulnerabilities in web applications owned by Adobe.  While this program does not provide monetary rewards for bug submissions, top researchers in our program are eligible to participate in paid, private pen-testing engagements. \n\nAll vulnerabilities affecting Adobe desktop products (ex. Flash Player and Adobe Reader), or enterprise on-premise solutions should be reported via email to the Product Security Incident Response Team [PSIRT@adobe.com] (PGP key available [here](http://blogs.adobe.com/psirt/?page_id=146/)).   \n \n**Eligible Vulnerabilities**\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration\n \nTo receive credit, you must be the first reporter of a vulnerability and provide us a reasonable amount of time to remediate before publicly disclosing.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n**Program Exclusions**\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable in reflected, stored or DOM-based types]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Missing http security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- SSL/TLS best practices\n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure\n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- We are aware that the public code repo available at [https://repo.adobe.com/nexus/content/*] is exposed.  This is expected behavior, and we do not consider it a security vulnerability. \n\n \n**Process**\n \nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  Providing clear and concise steps to reproduce the issue will help to expedite the response.   \n \n**Terms and Conditions**\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please do not test for spam, social engineering or denial of service issues. \n- Your testing must not violate any law, or disrupt or compromise any data that is not your own. \n- Please contact PSIRT@adobe.com to report security incidents such as customer data leakage or breach of infrastructure.  \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-04-12T20:34:10.814Z"},{"id":3548443,"new_policy":"**Guidelines**\n \nThis disclosure program is limited to security vulnerabilities in web applications owned by Adobe.  All vulnerabilities affecting Adobe desktop products (ex. Flash Player and Adobe Reader), or enterprise on-premise solutions should be reported via email to the Product Security Incident Response Team [PSIRT@adobe.com] (PGP key available [here](http://blogs.adobe.com/psirt/?page_id=146/)).   \n \n**Eligible Vulnerabilities**\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration\n \nTo receive credit, you must be the first reporter of a vulnerability and provide us a reasonable amount of time to remediate before publicly disclosing.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n**Program Exclusions**\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable in reflected, stored or DOM-based types]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Missing http security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- SSL/TLS best practices\n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure\n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- We are aware that the public code repo available at [https://repo.adobe.com/nexus/content/*] is exposed.  This is expected behavior, and we do not consider it a security vulnerability. \n\n \n**Process**\n \nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  Providing clear and concise steps to reproduce the issue will help to expedite the response.   \n \n**Terms and Conditions**\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please do not test for spam, social engineering or denial of service issues. \n- Your testing must not violate any law, or disrupt or compromise any data that is not your own. \n- Please contact PSIRT@adobe.com to report security incidents such as customer data leakage or breach of infrastructure.  \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-03-07T23:19:18.922Z"},{"id":3548442,"new_policy":"**Guidelines**\n \nThis disclosure program is limited to security vulnerabilities in web applications owned by Adobe.  All vulnerabilities affecting Adobe desktop products (ex. Flash Player and Adobe Reader), or enterprise on-premise solutions should be reported via email to the Product Security Incident Response Team [PSIRT@adobe.com] (PGP key available [here](http://blogs.adobe.com/psirt/?page_id=146/)).   \n \n**Eligible Vulnerabilities**\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration\n \nTo receive credit, you must be the first reporter of a vulnerability and provide us a reasonable amount of time to remediate before publicly disclosing.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n**Program Exclusions**\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable in reflected, stored or DOM-based types]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Missing http security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- SSL/TLS best practices\n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure\n- Username / email enumeration via Login Page or Forgot Password Page error messages\n- We are aware that the public code repo available at [https://repo.adobe.com/nexus/content/groups/public/] is exposed.  This is expected behavior, and we do not consider it a security vulnerability. \n\n \n**Process**\n \nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  Providing clear and concise steps to reproduce the issue will help to expedite the response.   \n \n**Terms and Conditions**\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please do not test for spam, social engineering or denial of service issues. \n- Your testing must not violate any law, or disrupt or compromise any data that is not your own. \n- Please contact PSIRT@adobe.com to report security incidents such as customer data leakage or breach of infrastructure.  \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-03-07T22:47:58.149Z"},{"id":2406920,"new_policy":"**Guidelines**\n \nThis disclosure program is limited to security vulnerabilities in web applications owned by Adobe.  All vulnerabilities affecting Adobe desktop products (ex. Flash Player and Adobe Reader), or enterprise on-premise solutions should be reported via email to the Product Security Incident Response Team [PSIRT@adobe.com] (PGP key available [here](http://blogs.adobe.com/psirt/?page_id=146/)).   \n \n**Eligible Vulnerabilities**\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration\n \nTo receive credit, you must be the first reporter of a vulnerability and provide us a reasonable amount of time to remediate before publicly disclosing.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n**Program Exclusions**\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable in reflected, stored or DOM-based types]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Missing http security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- SSL/TLS best practices\n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure\n- Username / email enumeration via Login Page or Forgot Password Page error messages\n\n \n**Process**\n \nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  Providing clear and concise steps to reproduce the issue will help to expedite the response.   \n \n**Terms and Conditions**\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please do not test for spam, social engineering or denial of service issues. \n- Your testing must not violate any law, or disrupt or compromise any data that is not your own. \n- Please contact PSIRT@adobe.com to report security incidents such as customer data leakage or breach of infrastructure.  \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-03-24T18:56:50.596Z"},{"id":2282634,"new_policy":"**Guidelines**\n \nThis disclosure program is limited to security vulnerabilities in web applications owned by Adobe.  All vulnerabilities affecting Adobe desktop products (ex. Flash Player and Adobe Reader), or enterprise on-premise solutions should be reported via email to the Product Security Incident Response Team [\u003cPSIRT@adobe.com\u003e] (PGP key available [here](http://blogs.adobe.com/psirt/?page_id=146/)).   \n \n**Eligible Vulnerabilities**\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration\n \nTo receive credit, you must be the first reporter of a vulnerability and provide us a reasonable amount of time to remediate before publicly disclosing.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n**Program Exclusions**\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Content spoofing / text injection\n- Self-XSS [to be valid, cross-site scripting issues must be exploitable in reflected, stored or DOM-based types]\n- Logout and other instances of low-severity Cross-Site Request Forgery \n- Missing http security headers \n- Missing cookie flags on non-sensitive cookies \n- Password and account recovery policies, such as reset link expiration or password complexity\n- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)\n- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms\n- SSL/TLS best practices\n- Clickjacking/UI redressing with no practical security impact\n- Software version disclosure\n- Username / email enumeration via Login Page or Forgot Password Page error messages\n\n \n**Process**\n \nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  Providing clear and concise steps to reproduce the issue will help to expedite the response.   \n \n**Terms and Conditions**\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please do not test for spam, social engineering or denial of service issues. \n- Your testing must not violate any law, or disrupt or compromise any data that is not your own. \n- Please contact PSIRT@adobe.com to report security incidents such as customer data leakage or breach of infrastructure.  \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-02-24T18:24:23.841Z"},{"id":1653653,"new_policy":"**Guidelines**\n \nThis disclosure program is limited to security vulnerabilities in web applications owned by Adobe.  All vulnerabilities affecting Adobe desktop products (ex. Flash Player and Adobe Reader), or enterprise on-premise solutions should be reported via email to the Product Security Incident Response Team [\u003cPSIRT@adobe.com\u003e] (PGP key available [here](http://blogs.adobe.com/psirt/?page_id=146/)).   \n \n**Eligible Vulnerabilities**\n \nWe encourage the coordinated disclosure of the following eligible web application vulnerabilities:  \n \n- Cross-site scripting \n- Cross-site request forgery in a privileged context\n- Server-side code execution\n- Authentication or authorization flaws\n- Injection Vulnerabilities\n- Directory Traversal\n- Information Disclosure\n- Significant Security Misconfiguration\n \nTo receive credit, you must be the first reporter of a vulnerability and provide us a reasonable amount of time to remediate before publicly disclosing.  When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.   \n \n**Program Exclusions**\n \nWhile we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program: \n \n- Logout and other instances of low-severity cross-site request forgery \n- Perceived issues with password reset links \n- Missing http security headers \n- Missing cookie flags on non-sensitive cookies \n- Clickjacking on static pages \n \n**Process**\n \nYour submission will be reviewed and validated by a member of the Product Security Incident Response Team.  Providing clear and concise steps to reproduce the issue will help to expedite the response.   \n \n**Terms and Conditions**\n \n- Please use your own account for testing or research purposes.  Do not attempt to gain access to another user’s account or confidential information.  \n- Please do not test for spam, social engineering or denial of service issues. \n- Your testing must not violate any law, or disrupt or compromise any data that is not your own. \n- Please contact PSIRT@adobe.com to report security incidents such as customer data leakage or breach of infrastructure.  \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-07-09T08:44:49.174Z"}]