UPDATE (September 12, 2018):
We realize our announcement on September 10 about aligning the Magento bug bounty program to the Adobe vulnerability disclosure program has caused concerns. We want to make it clear that we will carry over the existing bounty payment schedule to newly reported Magento bugs to the Adobe program. We look forward to continuing our collaboration with the security research community to improve the security of the Magento platform.
September 10th, 2018 Announcement
As Magento continues its journey as an Adobe company, we are consolidating our BugCrowd program to align with Adobe's established vulnerability disclosure program. As of September 15th, the Magento bounty program is coming to an end, and all future vulnerability findings should be submitted via Adobe's established program.
Please note the following:
1) Researchers may continue to submit valid findings via BugCrowd until September 15th,
2) Payouts for recognized and fixed bugs will still occur for releases 2.2.6 and 2.2.7,
3) Starting September 16th, any submission for the Magento platform should be submitted via Adobe's vulnerability disclosure program,
4) Adobe will honor any valid vulnerability submitted via the BugCrowd program prior to and on September 15th.
We appreciate all of the contributions from the security research community to improve the Magento platform, and we look forward to continuing this journey with you via Adobe's vulnerability disclosure program.
Our team of security professionals works hard to help keep Magento secure. What's equally important to protecting this data? Our security researchers and user community. If you find a site that isn't following security best practices, or a vulnerability inside our system, please tell us right away.
Stay up to date on the latest vulnerabilities and patches for Magento:
Responsible Disclosure Guidelines
Please help limit the impact that vulnerability reporting has on the Magento community:
- Share the security issue with us before making it public on message boards, mailing lists, or other forums.
- Allow us reasonable time to respond to the issue before making it public.
- Provide full details of the issue using the bug bounty tool, including:
- A summary of the security vulnerability and impact.
- Components or pages affected.
- Instructions for reproducing the issue.
- We want to encourage responsible disclosure of vulnerabilities. Therefore, please attach POC videos directly to your submission and not to a 3rd party site. Submissions or comments on submissions that contain links to 3rd party sites about any details of the submission will be ineligible for reward.
Unacceptable Security Research
Do not engage in security research that involves:
- Potential or actual denial of service of Magento applications and systems.
- Use of an exploit to view data without authorization.
- Corruption of data.
- Automated/scripted testing of web forms, especially "Contact Us" forms that are designed for customers to contact our support team.
Bug Bounty Payment Schedule
You may be eligible to receive a monetary reward, or “bounty,” if: (i) you are the first person to submit a site or product vulnerability; (ii) that vulnerability is determined to be a valid security issue by the security team; and (iii) you have complied with all Program Terms.
The Magento program does not reward researchers until the vulnerability is fixed and marked as Resolved in the Bugcrowd platform.
If a submissions has been moved to Triage it is waiting to be reviewed by Magento. Unresolved bugs have been approved as a valid bug by Magento.
Estimated payout ranges (in USD) for in-scope vulnerabilities are as follows:
Please note this bounty does not use Bugcrowd's Vulnerability Rating Taxonomy.
|Vulnerability||Tier 1 Applications (P1-P2)||Tier 2 Applications (P1-P2)|
|Information Disclosure (PII, passwords, or credit card data)||Up to $10,000||Up to $5,000|
|Remote Code Execution||Up to $10,000||Up to $2,500|
|Privilege Escalation||Up to $5,000||Up to $1,000|
|SQL Injection||Up to $5,000||Up to $1,000|
|Cross-Site Request Forgery (CSRF)||Up to $5,000||Up to $500|
|Cross-Site Scripting (XSS)||Up to $1,000||Up to $500|
|Clickjacking||Up to $500||Up to $100|
The Magento program does not reward a monetary bounty for P3 - P5 vulnerabilities.
Please create an account on your own using your @bugcrowdninja.com email address. Your 'bugcrowdninja' email address is your firstname.lastname@example.org. All emails will go to the email address associated with your account.
This program has been running for some time and there are several known issues. Please do not get discouraged if your submissions is marked as a duplicate. Furthermore, please do re-submit any reports that you may have previously sent to Magento. Good luck and happy hunting!
The following domains and applications are in scope for the program. If the domain is not explicitly listed here, it should not be considered in scope for the program and should NOT be tested.
Tier 1 Applications - Magento Enterprise Edition and Magento Community Edition
- Enterprise Edition and Community Edition. The Enterprise Edition code will not be provided free of charge to researchers, but Community Edition is freely available and uses much of the same code as Enterprise Edition.
- The scope does NOT include vulnerabilities in custom code developed by merchants and does NOT include extensions in the extension market.
- Researchers MUST NOT test existing merchants' stores without explicit permission from the owner. Researchers may perform their testing against their own local installations.
- The same bug WILL NOT be eligible for bounties in both Enterprise Edition and Community Edition if it affects both products. Such a bug will only be eligible for a single bounty payment.
- Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front end context but not in admin context. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.
- Vulnerabilities that require extensive or obtuse social engineering. For example, a user typing an XSS in to an input field, and then submitting the form to trigger a non-persistent XSS.
- Logout Cross-Site Request Forgery (logout CSRF).
- Open Redirects/Forwards when leaving the site.
- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL.
- Missing HTTP security headers, specifically https://www.owasp.org/index.php/List_of_useful_HTTP_headers.
- Reports from automated scripts or scanners (without proof of exploitation).
- Denial of service attacks that require large volumes of data.
Tier 2 Applications - magento.com, enterprise.magento.com, magentocommerce.com, repo.magento.com, developer.magento.com
- The same bug WILL NOT be eligible for bounties on two or more of these domains. Such a bug will only be eligible for a single bounty payment.
- Subdomains (other than www.) of these domains are NOT eligible for the program.
- The scope does NOT include vulnerabilities in 3rd party web applications not developed by Magento in use on Magento websites.
Information to gather prior to completing the reporting form:
Before submitting your report, please refer to the information we need to process a submission. Submissions without complete information slow down our ability to repair the vulnerability and might not be processed until we receive the requested information.
- Proof-of-Concept URL and the information of affected parameter
- Detailed steps of reproducing the vulnerability
- URL to screenshots to show Proof-of-Concept
- Details of the system where the tests were conducted
The Magento program does not reward vulnerability submissions until the issue is fixed and marked as Resolved in the Bugcrowd platform.
Researchers who are the first to report a vulnerability with complete information will be the researcher acknowledged in the release notes once the vulnerability is repaired. If there are additional team members involved in researching the vulnerability you are reporting, please provide their name(s) and what their contribution was to the findings when submitting this report.
Minors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty.
This Program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan or Syria.