SAN FRANCISCO -- In November 2012, Russian cybercrime investigation firm Group-IB made waves when it disclosed a potentially devastating zero-day exploit in Adobe Systems Inc.'s Reader X software that could have allowed attackers to bypass its built-in application sandbox capabilities.
According to Brad Arkin, senior director of product security at Adobe, the problem with Group-IB's disclosure is that it wasn't based in fact. Despite repeated efforts on Adobe's part to work with Group-IB to validate the claims, Arkin says the company was never able to substantiate them.
In this video, recorded at the 2013 RSA Conference, Arkin details Adobe's stance on vulnerability disclosure policy and the importance of establishing lines of communication with exploit developers and researchers. He explains how Adobe handles every vulnerability disclosure from an outside party with care, and is willing to work with anyone that wants to help secure Adobe's customers. He also discusses the vulnerability research presented at hacking contests like Pwn2Own, and the effect that nation-state cyberespionage has on software security.