Banner object (1)

4217 policies in database
  Back Link to program      
Magic Leap One - Cloud Ecosystem logo
Hall of Fame


Magic Leap One - Cloud Ecosystem

Program Overview


Here at Magic Leap, our goal is to constantly make our products more secure. And that’s why we need the security researcher community’s help to identify any privacy and security vulnerabilities in Magic Leap One. We have worked to create a magical and modern cloud ecosystem with the latest security mechanisms, but we understand there is always room for improvement when it comes to protecting our creator community. We recognize the value and contributions of security researchers in helping us protect both developers and consumers, and we would like to show our appreciation by offering a rewards program for eligible security vulnerability reports.

We encourage sincere reports with responsible disclosure, and in return, we will do our best to reply to all submissions and offer transparency and fairness in administering this program. Before reporting though, please review the entirety of this page including our responsible disclosure policy, program rules, legal terms/conditions, reward guidelines, and those things that should not be reported. Thank you for all that you do to make the uncharted frontier of spatial computing better, happier and more secure. Happy bug hunting!


For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Reward range

Last updated 13 Feb 2020 00:33:10 UTC

Technical severity | Reward range
p1 Critical | $2,048 - $8,192
p2 Severe | $1,024 - $2,048
p3 Moderate | $256 - $512
p4 Low | Up to: $256

P5 submissions do not receive any rewards for this program.


In scope

Target name | Type
* | Website | Website | Website | Website | API | Website | Website | Website | Website | Website

Out of scope

Target name | Type
<> | Website

Any domain/property of Magic Leap which is not listed in the targets section is out of scope. This includes any/all subdomains not listed below.

Target Info:

Target | Description
---|--- | any subdomain is now in scope | Main Magic Leap site. | Acts as the account portal. A user can edit personal details, payment methods, etc. | As the name implies, acts as the developer portal, distributing documentation, and SDKs. | Provides API services to all other entities within Magic Leap. | Acts as the login portal, issuing tokens consumed by other services. | Developer content can be found here, please note that all download files are out-of-scope. | Developer documentation can be found here, please note that all download files are out-of-scope. | Mostly CDN, static files. | Mostly CDN, static files. | It is a Zendesk platform, only
XSS with PoC* should be reported.

Login Page:

Please be sure to use your email for testing.


  • Violations of licenses or other restrictions applicable to any vendor's product.
  • UI bugs & UX bugs (unless they are security related) and spelling mistakes
  • Spam or social engineering techniques.
  • Security issues in third party services or applications not owned by Magic Leap (e.g., Zendesk, Hubspot and Contentful). While we often care about vulnerabilities affecting services we use, we cannot guarantee our disclosure policies apply to services or applications from other companies.

  • Any bugs that works only on IE are out of scope.

  • Any tests on paymetrics or aren't allowed and will ban researchers from the program.

Third-party Bugs

If issues reported to our bug bounty program affect a third-party library, external project, or another vendor, Magic Leap reserves the right to forward details of the issue to that party without further discussion with the researcher. We will do our best to coordinate and communicate with researchers throughout this process.

Program Rules and Legal Terms:

  1. Bugs or vulnerabilities must be reported strictly through the Bug Crowd platform. Bugs that were already disclosed publicly or are “out of scope” may not be rewarded.

  2. Adhere to the Responsible Disclosure Guidelines (see below).

  3. Only the first report of a verified bug will be rewarded. Bugs that are previously or publicly known will not qualify for a reward.

  4. The reward amounts may change from time to time and will be paid according to the submission date.

  5. Submissions that do not raise novel, unique or otherwise pertinent security issues won’t be entitled for rewards. (E.g. bugs unrelated to security vulnerabilities, click-jacking or phishing schemes, etc.)

  6. If issues reported to our bug bounty program affect a third-party library, external project, or another vendor, Magic Leap reserves the right to forward details of the issue to that party without further discussion with the researcher. We will do our best to coordinate and communicate with researchers throughout this process.

  7. We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Crimea, Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. There may be additional restrictions on your ability to enter depending upon your local law.

  8. This is a discretionary rewards program (which means we may stop the rewards program at any time). You are responsible for all taxes associated with and imposed on any reward you may receive as part of this program, including tax implications based on your country of residency and citizenship. Researchers acknowledge and agree that regardless of receiving any rewards, any information and contents submitted to Magic Leap may be used by Magic Leap in its sole discretion to enhance the security of its products.

  9. Of course, your testing must not violate any laws or regulations, or disrupt or compromise any data that is not your own; there may be additional restrictions in your territory relating to participation in a rewards program. You may not infringe or misappropriate any third party rights, including intellectual property rights. You may not send us any third party confidential information. If you inadvertently cause a privacy violation or disruption (such as accessing user data, service configurations, or other confidential information) while investigating an issue, you must disclose this in your report.

  10. To avoid potential conflicts of interest, we will not grant rewards to anyone who has developed code for any devices or platforms covered by this program, including people who are employed by Magic Leap or companies that do work for Magic Leap (including any immediate family members of the foregoing).

  11. Notwithstanding any restrictions in Magic Leap’s Ecosystem and Online Services terms related to technical limitations or circumvention in Magic Leap's cloud platform, you may use Magic Leap's services solely for the purpose of identifying and submitting security vulnerabilities to Magic Leap as set forth in this program.

Submission Guidelines:

  • Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (PoC).

  • Keep information about the potential vulnerability discovered confidential between yourself and Magic Leap (via Bug Crowd) until we have a remedy or a fix in production and you have received our explicit written consent to disclose the vulnerability.

  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.

  • For the purposes of this policy, you are not authorized to access user data or company data, including (but not limited to) personally identifiable information and data relating to an identified or identifiable natural person.

  • You must not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)

In response, we will do our part to investigate all valid reports, respond promptly and fix verified bugs in a reasonable timeframe.

The following finding types are specifically excluded from the bounty:

  • Default files available via web (e.g. README.TXT, CHANGES.TXT, etc)
  • Issues only useful in social engineering / phishing attacks (except in very rare cases)
  • Lack of or weak pin/code strength requirements
  • Text injection email spoofing (including SPF, DKIM, From: spoofing, and visually similar and related issues)
  • Descriptive error messages (e.g. stack traces, application or server errors)
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages
  • Fingerprinting/banner disclosure on common/public services
  • Full path disclosure / path disclosure (except for very special cases)
  • CSRF on forms that are available to anonymous users, for example contact forms
  • Disclosure of known public files or directories, (e.g. robots.txt)
  • Login/Logout cross-site request forgery (CSRF)
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
  • Lack of security speedbump when leaving the site
  • Weak Captcha/Captcha bypass
  • Brute force pin/code lockout not enforced
  • OPTIONS HTTP method enabled
  • Any crossdomain.xml files
  • Denial of Service (DoS / DDoS)
  • Out-of-date software
  • Rate limiter
  • Logout invalide session.
  • Username / email enumeration by brute forcing / error messages (e.g. login / signup / forgotten password)
  • Missing H TTP security headers, including: - Strict-Transport-Security - X-XSS-Protection - X-Content-Type-Options - Content-Security-Policy-Report-Only - Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP


Please note: This public program does not allow disclosure.
You may not release information about vulnerabilities found in this program to the public.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

In Scope

Scope Type Scope Name











Out of Scope

Scope Type Scope Name

Firebounty have crawled on 2018-10-11 the program Magic Leap One - Cloud Ecosystem on the platform Bugcrowd.

FireBounty © 2015-2020

Legal notices