Magic is a developer SDK that empowers applications with passwordless authentication using magic links, WebAuthn, OAuth, and other authentication tools.
Magic also builds a robust and distributed key management solution that supports this authentication infrastructure.
When users want to sign up or log in to application, the typical flow is:
User requests a magic link sent to their email address
User clicks on that magic link
User is securely logged into the application
If it's a web application, users are logged into the original tab, even if the user clicked on the magic link on a different browser or mobile device!
Magic also supports and builds Fortmatic, a cryptocurrency wallet integrated with many leading blockchain companies around the world.
As part of Magic's mission and security overview,
we want to improve the developer experience of authentication, while keeping safety and security top of mind for all developers. We recognize the importance of maintaining security in our services in order to keep our users safe.
With this bounty program, we encourage researchers to discover security flaws in our systems. These can cover almost any aspects of the product, from SDKs, APIs, public-facing codebases, user interfaces, developer dashboards, and more.
Both Magic and Fortmatic's products are under scope for testing.
We’d like to highlight the following highest priority assets as a focal point for this Bug Bounty Program:**
Developers and users sensitive information
Asset security
Key Management systems
New / Beta features
Complying with the Bug Bounty Program policy requires researchers to adhere to our “Disclosure Policy” section below.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
Please DO NOT perform testing on OUT OF SCOPE assets. Reports for out of scope assets will be closed as N/A, resulting in negative reputation gain.
The best way to get started with the program is to navigate to our developer dashboard and sign-up for a developer account. This will give you access to API keys which can be used to access our assets as well as a comprehensive set of docs to get started. Futhermore, as the dashboard is an in-scope asset, you may just find inspiration for an exploit while signing up and familiarizing yourself with it's features.
Fortmatic Inc. will make a best effort to meet the following response targets for hackers participating in our program:
Time to first response (from report submit) - 2 business days
Time to triage (from report submit) - 2 business days
Time to bounty (from triage) - 14 business days
We’ll try to keep you informed about our progress throughout the process.
As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
Follow HackerOne's disclosure guidelines.
For testing Magic, follow the Developer Terms & Conditions
For testing Magic, follow the Developer API & SDK License Agreement
For testing Fortmatic, follow the Developer Terms & Conditions
For testing Fortmatic, follow the Developer API & SDK License Agreement
In addition, we ask that the following policies be adhered to as well:
Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts.
Reporting vulnerabilities with no conditions, demands, or ransom threats.
In this bounty program, all software vulnerabilities in services provided are considered in scope. Please visit our documentation to get you set up with our products (you'll be up and running in <5 minutes). You will be testing with the API test keys that we provide, when you interact with our product for the first time there will be 1 test ETH seeded into your wallet, this should allow you plenty of opportunities to interact with our modal and attempt to discover vulnerabilities.
Please refer to the structured scopes section below to find our in-scope assets.
We will put more emphasis on the following security vulnerabilities:
Log in as a user without their confirmation
Modify user sensitive data
Unauthorized user digital assets transfer
All vulnerabilities that require or are related to the following are out of scope:
Hijacking developer API public keys
Domain spoofing
DDoS on our systems as well as our providers systems (i.e SMS provider)
Social engineering
Physical security
Previously known vulnerable libraries without a working Proof of Concept
Non-security-impacting UX issues
Man-in-the-Middle attacks
Ability to abuse any existing blockchain functionality
Features/links that lead to or are provided by external providers i.e our Typeform integrations, developer docs, etc.
Our API endpoints (api.fortmatic.com and api.magic.link) are out of scope for DDoS (any activity that could lead to the disruption of our service)
Any other subdomain that is not listed in the structured scopes section below
To encourage responsible disclosures, we will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider security research and vulnerability disclosure activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA and applicable anti-hacking laws such as Cal. Penal Code 502(c). We waive any DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.
If legal action is initiated by a third party against you and you have complied with this bug bounty policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.
You are expected, as always, to comply with all applicable laws.
Please submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.
This document contains material from the #legalbugbounty project, which can be found on github.
The collection of information in Magic's product is bound by the terms described in our Privacy Policy
Scope Type | Scope Name |
---|---|
other | Account Settings |
other | Login with SMS - Feature |
other | Magic and Fortmatic Products |
other | Multi-factor Auth - Feature |
web_application | api.fortmatic.com |
web_application | x2.fortmatic.com |
web_application | auth.magic.link |
web_application | dashboard.magic.link |
web_application | api.magic.link |
web_application | dashboard.fortmatic.com |
web_application | fortmatic.com |
Scope Type | Scope Name |
---|---|
web_application | careers.fortmatic.com |
web_application | developers.fortmatic.com |
web_application | static.fortmatic.com |
web_application | email.fortmatic.com |
web_application | docs.fortmatic.com |
This program crawled on the 2021-10-08 is sorted as bounty.
FireBounty © 2015-2024