We found an XSS in the “language” parameter. The susceptible domain was “freeriatools.adobe.com” where you have the opportunity to download some software.
After we had a positiv experience with the first contact via social media (twitter) in other cases, we decided to sent a tweet @Adobe_Care (the support team of adobe) and ask for the right contact person. We received an answer outlining an emailadress to which we should send our security concerns. After one week someone verified our report and forwarded it to the development team.
@internetwache Hi and thanks for reaching out. Yes, please DM us your concerns. Thanks, ^Bing— Adobe Customer Care (@AdobeCare) 9. August 2012
Sending a follow-up after another week had passed, resulted in in the funny resonse that our email landed in the employees spam folder. We were told to submit it again using a contact form on the website. We did not want to give up and submitted everything again. One day later we got an email stating that somebody will care about this issue. This was the last mail we have received from the security team. After two months we noticed that the subdomain was offline. We wrote another email asking whether they have closed the XSS issue and perhaps want to list us in their hall of fame. Since then, we have not received anything back.
That kind of “rough” fixes are regrettably common for bigger companies: Subdomains which are of no use anymore are simply removed. But it is really disappointing that they have not responded to say something like a “thanks”. However, it is good to know that the issue is not exploitable anymore.
Update (25th of mai 2013): One month after our last contact attempt, we have received an email from the security team saying that they have finally resolved the issue. They asked for a our details for the hall of fame entry. Without any further notification or feedback they put our names on the HoF. The communication process with Adobe is far from anything what you would consider “good”.
The team of internetwache.org