Podcasts
CyberWire-X
Ep 52
CyberWire-X 8.17.25
Ep 52 | 8.17.25

Strengthening product security through ethical hacker collaboration.

Show Notes
Transcript

Dave Bittner: Welcome to CyberWire-X, where we unpack the critical conversations shaping cybersecurity today. I'm Dave Bittner. Bug bounty programs are where businesses meet ethical hackers, a partnership built on curiosity, skill, and a shared goal: better security. But building that trust isn't as simple as swapping vulnerabilities for payouts. In today's episode, Ani Turner, Senior Security Engineer and bug bounty program lead at Adobe, and Jasmin Landry, a seasoned ethical hacker and one of Adobe's top researchers, unpack what it really takes to make this relationship thrive. From the motivations driving both sides to the myths that still cloud the field, we dig into the wins, the roadblocks, and the quiet factors like communication and shared purpose that can turn a bounty board into a real security asset. [ Music ] So today, we're talking about strengthening product security through ethical hacker collaboration. Before we dig into some of the details here, I'd love to learn a little bit about each of you. Ani, let me start with you. Where did you get your start, and what led you to where you are today?

Ani Turner: Yeah, so I actually started out as a software engineer, very nontraditional. But I was aware of, you know, some basic security practices as an engineer. But honestly, security wasn't something I focused on deeply at first. That changed when I was pursuing my master's in information systems and took an introductory cybersecurity class. It kind of opened my eyes to just how fragile the system we built can be and how a single oversight can lead to a major vulnerability. And so I realized that nothing we build is truly secure by default. And that really sparked something in me. From that point on, I knew I wanted to focus on cybersecurity full-time, not just building applications, but primarily protecting them. And then bug bounty programs kind of felt like a natural extension of that passion because they bring together builders and breakers in a really collaborative, ethical, and impactful way.

Dave Bittner: Well, Jasmin, how about you? You're on the bug bounty hunter side of things here. How did that become the thing that drew your attention?

Jasmin Landry: So I started working in IT a while back now, roughly like 12, 13 years ago. And just before that, in school, I had a teacher that was really passionate in cybersecurity. I learned that I could hack as a job -- as my day job, as a pen tester. So this was like my short-term career goal. So while I was working in IT, I did a few certifications in cybersecurity to help me land a job in cybersecurity, which I eventually got. So I started working as a pen tester. And around that same time, I heard about bug bounties. I was seeing people getting, I guess, large bounties on products. So I figured I'd, you know, give it a shot. It did not start well. So it took a year to, like, improve my skills, learn a lot more. And then a year later, I started looking at bug bounty again. And then it eventually worked out. So I had been doing bug bounty as a hobby or part-time roughly since 2017, 2018 and only decided to do it full-time almost a year ago, back in September of 2024. So I've been really enjoying it, doing it full-time now. It's really fun finding a few good bugs on Adobe. So yeah, I've been really enjoying it.

Dave Bittner: Ani, for folks who might not be familiar, can you describe for us Adobe's bug bounty program? I mean, how is it organized? What's the structure?

⁠Ani Turner⁠: Our bug bounty program has multiple components to it. We have a public program with multiple products onboarded for everybody to kind of go in and hack. We have secure environments set up and ensure that, you know, every report that we receive will be reviewed and assessed immediately as soon as we get them. We have our VIP program, which is our private program. And it is an invite-only initiative where we build closer relationship with top-performing researchers. And we offer them kind of early access to scopes, personalized feedback, and then opportunities to engage directly with our internal teams. And so it's a kind of a great way for us to learn from their expertise and for them to get more value out of the program. But with both our public and our private program, we offer pretty much all of the programs Adobe currently has as a way to hack in and find vulnerabilities in.

Dave Bittner: So, Jasmin, what was it that attracted you to Adobe specifically for your own bug bounty hunting?

Jasmin Landry: So it actually started off with a pen test. Adobe uses HackerOne as a crowdsourced pen testing. I'm part of the pen testers on HackerOne. So I was looking at one of their products on the pen test and stumbled on a vulnerability which wasn't in scope for the pen test. So I asked them, like, where should I report it? And they guided me through the Adobe VIP program, submitted it on there. And then within a week, it got paid and fixed, which is pretty fast in terms of bug bounty programs. And they treated me pretty well. So I figured I'd stay on Adobe's program. This is like two years ago now. I haven't been too regular because, you know, sometimes it's getting hard to find bugs. But every once in a while, I go back to Adobe. It's been my main program for the past -- at least for the past year or so. So, yeah, I've been really enjoying my time with Adobe. They treat me pretty well. I've been finding good bugs. They also appreciate me as well. So it goes both ways. So it's been fun working with Adobe.

Dave Bittner: Well, let's dig into that aspect of it. I mean, Ani, when you're working with folks like Jasmin, as he says, he feels as though he's being treated well. Like, Adobe is a good partner in this process. How do you ensure that? What are the things that are important that this stays a collaborative process?

⁠Ani Turner⁠: You know, the biggest part of that kind of collaboration is trust. And the heart of a bug bounty program should be trust, right? Because you're working with so many different individuals from all over the world with different backgrounds. If researchers don't trust that, we'll take their work seriously, respond respectfully and promptly, just like Jasmin was saying, and then reward them fairly, they won't engage. Or they may leave after a bad experience. Companies need to trust that researchers will act ethically and stay within scope, but that mutual trust is what makes the whole system work. So, you know, at Adobe, we strive to build that trust by demonstrating that we truly value every report. And we focus on fast, respectful communication and full transparency, and how findings will be handled as well internally. So, yeah, the researchers need to see that we invest real time and resources to validate and remediate vulnerabilities, not just check a box. And so I think setting clear upfront, you know, rules like our policies and program scopes need to be exactly crystal clear. And this clarity kind of helps researchers feel confident in their efforts and that they will be recognized and taken seriously. So, yeah, we also, you know, maintain a fair and consistent reward structure because when researchers trust they'll be rewarded appropriately, I think they're more motivated to prioritize our program and submit a higher-quality findings.

Dave Bittner: And I suppose, along with that, folks want to get paid in a timely manner. Jasmin, has that been your experience as well, that that makes a difference?

Jasmin Landry: It does, especially when you're doing it full-time. You don't want to wait months and weeks and months to get paid. The faster you get paid, the chances are that you're going to go back to the program or stick to that program. So for me with Adobe, it's always been like, I know what to expect. They pay pretty fast compared to other programs out there. The same thing in terms of fixing bugs, because if they fix bugs fast, that means I have less chances of getting duplicates. And when I do get a duplicate, that means I'm not getting paid. So when they fix fast and pay fast is definitely one of the main criterias of when I look for a new program to hack on or just stay on an existing program that I've been on from the past, you know, in the past.

Dave Bittner: Ani, I'm curious, are there any common misconceptions that you find people have when it comes to bug bounty programs?

Ani Turner⁠: Absolutely. I think maybe one common misconception is that bug bounty programs are kind of an open invitation to hackers to just find and exploit vulnerabilities, which can make some companies probably hesitant to run them. When in reality, bug bounty programs are carefully scoped and managed environments that encourage ethical researchers to help improve security in a controlled way. I would also say another misconception is that bug bounty programs will flood teams with low-quality or duplicate reports, which can happen, and it can create a lot of noise rather than value. And while that can, you know, happen, like I said, in poorly designed programs, a well-run bug bounty program probably includes a clear scope, strong triage processes, and then good communication to just ensure that researchers submit meaningful findings and duplicates are minimized. And then maybe some may also think that bug bounty programs can replace other security practices like penetration testing or even secure development. But bug bounty is, in my opinion, best seen as a complement to those efforts, right? It's a way to add continuous and external testing and fresh perspectives beyond what an internal team can provide. And then finally, I'd say maybe there can be misunderstandings on the researcher side, too, such as, like, expecting guaranteed rewards or underestimating the time it takes for companies to validate and fix a report. Because things can take a while, and some reports are, you know, informative. They're not really a security vulnerability or a value to us. And so that guaranteed reward can be misunderstood as well. But at Adobe, I would say we take, you know, every finding from our bug bounty program very seriously. And once the vulnerability is reported, it goes, you know, through a thorough validation process to confirm its legitimacy, and then assess its impact. So it isn't just a quick check. Like, we dedicate actual time and resources to fully understand the issue and then prioritize it appropriately. And then I'd say also fixing the vulnerability kind of involves close collaboration across security, engineering, and our internal product teams. So we don't just patch the specific bug and move on. Like we analyze root causes to prevent similar issues from recurring. And then that can include like, internal strategic remediation efforts or improving quote quality or architecture. So, yeah, just to emphasize, like we really care about transparent communication, and not only keeping the researcher informed, but also ensuring product teams understand our security implications so they can build more resilient systems moving forward. So the goal is not only to resolve individual findings, but to continuously strengthen our security posture. And so with these common misconceptions, I mean, there's always a chance that other companies might be a little bit more hesitant to have a bug bounty program. But for us, it's the key, and it's one of our, you know, greatest investments.

Dave Bittner: Jasmin, I'm curious, you know, from your point of view, when you decided to go pro -- and this is, you know, your full-time endeavor here -- were there frustrations that you ran up against, particular challenges as you settled into this being the thing that you focus all your time on?

Jasmin Landry: Not really, because I've been on, like, a new side, right? I did work in, like, product security and other companies, so I know how it works. I know, like she was mentioning, about collaboration between engineering, product, and security, and it's not always easy. So, for example, when I find a bug and I don't get paid the next day, I know it's totally normal, right? And like the time that Adobe pays, I find it really impressive, which is why I stick to that program. Because in the past companies that I worked with, it always took a long time. Researchers did get frustrated about it. But it's maybe because they don't have the context or internal knowledge of what's actually going on in the background. Like she was saying, like, we don't -- I mean, we, on the product side, don't want to patch the bug. We want to find, like, the root cause and see if we can find other places where it's vulnerable so that we can, like, you know, fix it holistically. So, for me, starting full-time, I already have, like, expectations on what to expect when submitting bugs to programs. I know I won't get paid the next day. Sometimes, yes, but it's pretty rare. And like I've been doing it as a hobby for roughly five, six years, so with experience, you know, I won't say I don't have any frustrations anymore, but since I've been doing it for a while, I know how it works both from the hacker side, both on the product side, and the triage side as well. So I've been on all sides of bug bounty. So, you know, with my experience, I don't really have any frustration because I just know that that's how bug bounty is.

Dave Bittner: Yeah, you know, you've got yourself properly calibrated.

Jasmin Landry: Exactly. Yeah.

Dave Bittner: Yeah. Ani, you know, it sounds to me like a real key to success here is robust communications between your team at Adobe and the folks that you've engaged with for these bug bounties. Would you agree that that's a really critical element here?

⁠Ani Turner⁠: Oh, absolutely, yes.

Dave Bittner: And how do you ensure that those lines of communication stay open and are effective?

⁠Ani Turner⁠: I would say, you know, the communication is key here at Adobe. We make sure that when we receive a bug that we ensure that our researchers are communicated with very quickly. So when we have certain questions, because sometimes a bug comes in and we have to ask more questions in order to actually replicate it or ensure that we can fix it internally. And for that, we have to have that good communication with our product teams internally, but as well with our researchers externally. And to kind of bridge that gap between them. And then once the bug is fixed, we want to ensure that we also communicate with our researchers and let them know that it is fixed. Just like Jasmin said, it is important to them to know that this is fixed and they don't have to, you know, worry about duplicates in the future. And for us, it's important that we let our researchers know that we do value what they submitted and that we want to ensure that what they submitted was fixed as quickly as possible, with the most efforts internally that we could provide.

Dave Bittner: Yeah. Jasmin, I suspect from your point of view that you don't ever want to feel like you've been left hanging, you know, where somebody goes silent on you.

Jasmin Landry: Yeah, exactly. I mean, it does happen in bug bounty where it takes a while to get a bug fixed or get, like, an update or something. It is part of the game because, you know, I need an out-of-this-product security team. They have other things to do than to just look at our triage and, you know, respond to us every single day. But like it does happen. I'd say it's pretty rare, depending on the program. But yeah, it's for sure. Communication is a big key in bug bounty success from both sides, from researcher side and the product side as well. So when a program communicates well and they're as transparent as they can be, then this is a big plus for sure.

Dave Bittner: Well, I would be remiss to not ask you both about AI and where you suppose that may take us, the possibilities, both positive and negative, as we're in this era of AI. Jasmin, let me start with you as the practitioner here. Is this playing a part in the work that you do these days?

Jasmin Landry: It is. I'm using it on a daily basis. That's 100% true, both on the hacking side of things. So I'm using it mainly to, like, build POCs once in a while, sometimes like even brainstorm on ideas. For example, I'd say, okay, I have this specific endpoint. I suspect this is happening in the backend. What could I try to, you know, try to find a bug here? And it is replying me sometimes with really good stuff that I didn't think of. So I'm using it both on that side of, let's say, bug bounty and also on the reporting side. So since English is not my first language, I use it sometimes to, like, you know, describe the impact better or try to do like a proper description of what the bug is. And of course, while redacting everything, I don't want to share my bugs directly to the AI, but, like, the technical details of their vulnerability without exposing the data or the target, of course. So it does help in terms of better report writing. I'm also trying to automate some of my findings as well while using AI. So maybe I can, you know, try to scale up, have like a hack bot just for myself. So, yeah, this is how I use AI for now for sure.

Dave Bittner: Ani, how about you? What sort of use, if any, are you having with AI on Adobe's side?

Ani Turner⁠: Yeah, I mean, I think we will see more and more AI popping up in the future. Right now, I'd say we primarily use AI for internal automations to make our work -- our teams work more efficient and effective. The kind of -- those automations help us focus our attention more on the critical vulnerabilities and streamline triage and remediation, which does ultimately strengthen our overall security posture. So having that AI component and that automation internally definitely allows us to focus on, you know, the highest impact vulnerabilities faster. And that's been just incredible to see evolve within Adobe. And obviously, like, the more we have AI products within Adobe as well. So receiving more findings for our AI products, that's been very exciting for us as well to see how researchers approach these vulnerabilities and then how we can make sure that these AI tools are secured and effectively used.

Dave Bittner: I want to wrap up with the both of you by looking a bit towards the horizon here. I mean, where do you suppose we're headed? And Jasmin, as you look towards the future of bug bounty programs and these collaborations and your job as a hunter, what do you think the future holds?

Jasmin Landry: That's a great question. To be honest, I'm not even sure. For example, I could get replaced by AI in, like, five, 10 years. I really have no idea. I'm hoping that won't happen. It'll just be like a collaborative effort with AI because I do love hacking and love finding bugs. So I'm hoping that I'll still be useful in a couple of years. But I guess this is up to us to, like, prove that AI is good, but it doesn't work well or as well with a human collaborating with it. I definitely see a big change coming up in the next couple of years, where I think AI will improve a lot in terms of finding bugs, and so I think it's up to us to change and prove, I guess, our value that we are still useful for companies, right?

Dave Bittner: Ani, how about you?

⁠Ani Turner: Well, I'd say looking ahead, I think I see bug bounty programs kind of evolving from being primarily reactive vulnerability discovery tools to becoming integral components of proactive security strategies. And then from a business standpoint, I think companies will increase -- is increasingly use bug bounty data, not just to fix bugs, but to drive security innovation and risk management at a scale. So, you know, this means that integrating bug bounty insights to broader security metrics or helping leadership make informed decisions on where to invest in security, engineering, and controls. Like we talked about, I think we'll see more automation and AI-assisted triage to kind of manage the growing volume of reports and focus on those high-impact vulnerabilities. And then with more transparency and better communication tools and even co-creation of security solutions, I think collaboration between companies and researchers will for sure deepen. I think at Adobe, we've been working really hard to do that already. And then finally, I would say I anticipate bug bounty programs to extend beyond traditional software to cover, you know, emerging areas, maybe, you know, cloud infrastructure, AI systems, which, at Adobe, we've already begun expanding our programs to include those. But yeah, ultimately, you know, bug bounty programs will be key business enablers and help organizations manage risk effectively while also moving faster and more confidently in their innovation.

Dave Bittner: And that is our show. Our thanks to Ani Turner, Senior Security Engineer and bug bounty program lead at Adobe, and Jasmin Landry, a seasoned ethical hacker and one of Adobe's top researchers. Thanks for listening. We'll see you back here next time. [ Music ]

CyberWire-X
Podcast Info
Creator: N2K Networks, Inc.
ADVERTISEMENT
Sponsored by Adobe
Sponsored by Adobe

Adobe empowers secure digital experiences by embedding robust cybersecurity measures across its creative, document, and customer experience solutions. With a focus on data protection and compliance, Adobe safeguards user content, workflows, and cloud-based collaboration at scale. Learn more.