Adobe recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Adobe’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible.

Researchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.

Table of Contents

1. Rewards

2. Response Targets

3. Process

4. Eligible Vulnerabilities

5. Adobe Commerce Guidelines

6. Program Exclusions

7. Disclosure

8. Safe Harbor

9. Minors

10. Ineligible Participants

11. Terms and Conditions

Rewards

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Adobe. Adjustments to the bounty payout ranges are noted below each tier’s payout table.

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. If multiple submissions indicate a general pattern of weakness, only the first two reports that establish the pattern will be eligible for full bounty even if the fix requires code changes in multiple locations.

Tier 1: Adobe Commerce, Adobe Commerce B2B, and Magento Open Source

Scope:

• Core software in Magento 2 Commerce, Commerce B2B, and Open Source default configuration

• Bundled extensions

Tier 1 Payout Ranges

| Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9) | Low (0.1 - 3.9) |

| --------------------------| -----------------------| ------------------------- | -------------------- |

| $5,000 - $10,000 | $1,000 - $5,000 | $200 - $1,000 | $100 - $200 |

Payout adjustments:

• ==Tier 1 product vulnerabilities that require admin panel access: $5,000 (maximum)==

Tier 2:

Scope:

• account.magento.com

• accounts.magento.cloud

• u.magento.com

• magentolive.com

• imagine.magento.com

• marketplace.magento.com

• repo.magento.com

• magentocommerce.com

• magento.com

Tier 2 Payout Ranges

| Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9) | Low (0.1 - 3.9) |

| ------------- | ------------- | ------------- | ------------- | ------------- |

| $2,500 - $5,000 | $ 500 - $2,500 | $100 - $500 | $100 |

Payout adjustments:

• Public repo secret leak: $1,000 (maximum)

• Reflected XSS: $500 (maximum)

NOTE: bugs that impact more than one domain will only be eligible for a single bounty payment. Bugs in other Commerce sub-domains are NOT eligible for the program, nor are vulnerabilities in 3rd party web applications not developed by Commerce.

NOTE: Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context will not be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.

Response Targets

Adobe makes every effort to meet the following SLAs for hackers participating in our program:

| Type of Response | SLA in business days |

|----------|--------------------|

| First Response | 1 day |

| Time to Triage | 2 days |

| Time to Resolution | dependent on severity and complexity |

We’ll try to keep you informed about our progress throughout the process.

Process

Your submission will be reviewed and validated by a member of the Product Security Incident Response Team.

• When submitting a vulnerability, please provide concise steps to reproduce that are easily understood as well as the impact of the vulnerability.

• Including a proof-of-concept for desktop vulnerabilities will expedite our investigation. We encourage you to use PGP encryption (key here).

• If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. DNS-related vulnerabilities (e.g. subdomain takeover) are an exception and should be reported uniquely.

• When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate.

Eligible Vulnerabilities

We encourage the coordinated disclosure of the following eligible web application vulnerabilities:

• Cross-site scripting

• Cross-site request forgery in a privileged context

• Server-side code execution

• Authentication or authorization flaws

• Injection Vulnerabilities

• Directory Traversal

• Information Disclosure

• Significant Security Misconfiguration (please follow best practice when reporting subdomain takeovers)

To receive credit, you must be the first reporter of a vulnerability. When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.

Adobe Commerce Guidelines

Please review the following guidelines before submitting your report:

• DO use HackerOne's email aliases feature [username]@wearehackerone.com when registering your account instructions here.

• DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.

• DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.

• DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations.

• DO NOT cause a potential or actual denial of service of Magento applications and systems.

• DO NOT use an exploit to view data without authorization or cause corruption of data.

• DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

Program Exclusions

While we encourage any submission affecting the security of an Adobe web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program:

• Content spoofing / text injection

• Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]

• Logout and other instances of low-severity Cross-Site Request Forgery

• Cross-site tracing (XST)

• Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)

• Missing HTTP security headers

• Missing cookie flags on non-sensitive cookies

• Password and account recovery policies, such as reset link expiration or password complexity

• Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)

• Vulnerabilities only affecting users of outdated or unpatched browsers and platforms

• Missing best practices in SSL/TLS configuration.

• Clickjacking/UI redressing with no practical security impact

• Software version disclosure

• Username / email enumeration via Login Page or Forgot Password Page error messages

• Methods to extend product trial periods.

• Comma Separated Values (CSV) injection without demonstrating a vulnerability.

• Vulnerabilities in custom code developed by merchants / 3rd parties.

• Vulnerabilities in 3rd party extensions or available from the extension market.

• Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL.

• Attacks requiring MITM or physical access to a user's device.

• Vulnerabilities that require disabling security features enabled in default configurations.

Disclosure

In the interest of fostering coordinated disclosure, Adobe will collaborate with finders in good faith who wish to disclose vulnerabilities. To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Minors

Minors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty.

Ineligible Participants

This program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan, or Syria.

Terms and Conditions

• Please use your own account for testing or research purposes. Do not attempt to gain access to another user’s account or confidential information.

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

• Please do not test for spam, social engineering, or denial of service issues.

• Please do not engage in any activity that can potentially or actually cause harm to Adobe, our customers, or our employees.

• Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.

• Do not store, share, compromise, or destroy Adobe or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Adobe. This step protects any potentially vulnerable data, and you.