Researcher Q&A: AEM solution architect by day, Adobe bug bounty hunter by night

At Adobe, proactively finding and fixing potential weaknesses in products before they reach our users is critical to fostering trust among our customers, partners, and communities. If you’re curious about the community of security researchers who actively participate in Adobe’s bug bounty program, let us introduce you to one of our top contributors, Jim.

Jim is currently an Adobe Experience Manager (AEM) Solution Architect at a financial institution based in London, UK and has been working with the AEM product for seven years. When he’s not working or doing bug bounty research, you’ll likely find Jim brewing beer or on a spin bike at the gym.

We sat down with Jim to learn more about his personal bug bounty journey and get his advice for aspiring researchers.

Let’s talk a bit about your career and background. How did you get started in the tech space?

I’ve always been interested in computers from an early age ever since I received my first computer when I was just five years old. My first job out of university was in software development, and after about 10 years, I decided I wanted a change in my career. I started doing web development at a company that uses Adobe Experience Manager (AEM) as the main product for their solutions.

Although I’m a solution architect now, I’m a firm believer of “once a dev, always a dev” — I still code in my free time and develop cool and useful things I need in my daily life.

What initially got you interested in cybersecurity and specifically bug bounty?

While I grew curious about security when I was much younger, I didn’t pursue anything further until recent years. Back then, reporting security issues was generally frowned upon and could be considered illegal even if it came from non-malicious intent.

Fast forward to 2022, it really caught my attention when media coverage about Log4j vulnerabilities were everywhere in the headlines. After constantly hearing about this new security problem, my own curiosity led me to watching YouTube videos on Log4j and found myself in a deep rabbit hole on the internet. That was when I realized there was a whole community of bug bounty hunters who were cleaning up this vulnerability, and I was inspired by the fact that there were actual security researchers out there wanting to find and disclose security problems for the greater good.

So, I signed up for a couple ethical hacking platforms, one of them being HackerOne. Within my first day of hunting on the platform, I found a cross-site scripting issue and thought, “Well, I found one. What else can I find?”

Are there any key tools, takeaways, or trainings that helped you jumpstart into your bug bounty journey?

For the most part, I leveraged my developer’s mindset, as good developers are generally aware of both the right and wrong way to do things. I understood most things coming mainly from my own experience mitigating threats firsthand throughout my career.

To supplement my learning, I also started watching educational YouTube videos and listening to a couple podcasts. One that I particularly recommend checking out is the Critical Thinking — Bug Bounty Podcast, which features lots of cool tips and content around bug bounty.

What initially attracted you to Adobe’s bug bounty program?

During my first month or so hunting, I didn’t have much luck finding bugs. At that point, I decided I needed to play to my strengths and stick to what I knew well. Given the fact that I was already exposed to AEM and other Adobe products in my day job, I began searching for bug bounty programs that were using AEM. I naturally landed on Adobe’s Vulnerability Disclosure Program (VDP) and found a bug, which turned out to be three or four bugs. From here, I was motivated to continue working with Adobe and eventually got rerouted to the Adobe-VIP program.

Throughout my time hacking for Adobe, my knowledge about AEM as product has increased tremendously, which has enabled me to do my day job better. It’s made me much more aware of the different types of security problems that exist and has helped me become better at creating secure solutions. Nowadays, I tend to look at things from a security angle and ask questions that others might not bother looking into.

What is your motivation when participating in a bug bounty program?

While a big motivator comes from the financial incentives offered in a program, a good side effect that comes along with it is knowing that my contributions are beneficial for everyone and helps build better products. Given that I use AEM in my daily work life, a more secure product is a win for me as well.

Another motivating element of bug bounty hunting is that it’s fun — it’s like a puzzle. Solving complex security problems can be quite satisfying and rewarding.

What advice would you give to aspiring bug bounty hunters?

Play to your strengths. Spend time understanding what kind of bug bounty hunter you are and stick to it. You might need to try a bit of everything at first, but you’ll eventually find your niche.

Explore More

Learn more about Adobe’s bug bounty program on HackerOne

Connect with Jim — LinkedIn | Twitter: @GreenJamSec

Your opinion matters to us. Help shape the future of the Adobe Security blog by sharing the topics you’d like to read about next.