Here at Magic Leap, our goal is to constantly make our products more secure. And that’s why we need the security researcher community’s help to identify any privacy and security vulnerabilities in Magic Leap One. We have worked to create a magical and modern operating system (LuminOS) with the latest security mechanisms, but we understand there is always room for improvement when it comes to protecting our creator community. We recognize the value and contributions of security researchers in helping us protect both developers and consumers, and we would like to show our appreciation by offering a rewards program for eligible security vulnerability reports.
We encourage sincere reports with responsible disclosure, and in return, we will do our best to reply to all submissions and offer transparency and fairness in administering this program. Before reporting though, please review the entirety of this page including our responsible disclosure policy, program rules, legal terms/conditions, reward guidelines, and those things that should not be reported. Thank you for all that you do to make the uncharted frontier of spatial computing better, happier and more secure. Happy bug hunting!
Last updated 10 October 2018 00:51:57 UTC
Technical severity | Reward range
p1 Critical | $1,024 - $8,192
p2 Severe | $512 - $3,072
p3 Moderate | $256 - $1,024
p4 Low | $128 - $256
P5 submissions do not receive any rewards for this program.
Target name | Type
Latest public release of LuminOS, ML1 | Other
Any domain/property of Magic Leap which is not listed in the targets section is out of scope. This includes any/all subdomains not listed below.
To participate in this bounty program, you must have access to a Magic Leap One device.
LuminOS is the operating system utilized by the Magic Leap One, that gets the most out of our spatial computing platform by working in tandem with the brain. We’re talking machine learning, middleware, an SDK and development tools. It’s optimized for performance with a high-fidelity visual experience to turn your wildest imaginings into even wilder realities.
LuminOS runs code in various components, listed below. We use these terms as a reference for the Severity table below.
Untrusted Process - 3rd party application code
Unprivileged Service - System processes (that aren’t apps) that don’t have many permissions, can’t access all file system, etc
Privileged Service - Sensitive system processes that manage the whole device, e.g. has global access to the file system, running as root, set uid capability
Kernel & drivers
TZ - Any TrustZone process
Secure Boot - Main processor’s booting phases
Arbitrary code execution in the TZ
Remote arbitrary code execution in a privileged service or OS kernel
Remote permanent denial of service (device interoperability: completely permanent or requiring re-flashing the entire operating system)
Remote bypass of user interaction requirements on package installation or equivalent behavior
Secure Boot bypass
Arbitrary local code execution in a privileged process or OS kernel
Unauthorized access to data secured by the TZ
Remote access to protected data (data normally accessible only to locally installed apps that request permission, or that is limited to a privileged process)
Local permanent denial of service (device inoperability: completely permanent or requiring re-flashing the entire operating system)
Remote temporary device denial of service (remote hang or reboot)
Remote bypass of user interaction requirements (access to functionality that would normally require either user initiation or user permission)
Local bypass of user interaction requirements for any developer or security settings modifications
A general bypass for operating system protections that isolate application data from other applications
A general bypass for operating system protections that isolate users or profiles from one another
Cryptographic Vulnerability in Standard TLS that allows for man-in-the-middle attacks
Remote arbitrary code execution in an unprivileged service
A bug in the Computer-Vision stack by a manipulated input for the vision sensors (e.g. an artificial picture that causes DoS)
A general bypass for a defense in depth or exploit mitigation technology in a privileged service or the TZ
Bypass of restrictions on an untrusted process
Remote access to unprotected data (data normally accessible to any locally installed app)
Local access to protected data (data normally accessible only to locally installed apps that request permission, or that is limited to a privileged process)
Local bypass of user interaction requirements (access to functionality that would normally require either user initiation or user consent)
Local permanent denial of service (device requires a factory reset)
Cryptographic Vulnerability in standard crypto primitives that allows leaking of plaintext (not primitives used in TLS)
Bypass of Device Protection/ Factory Reset Protection
Local arbitrary code execution in an unprivileged process
Cryptographic vulnerability in non-standard usage
A general bypass for a user level defense in depth or exploit mitigation technology in an unprivileged service
A remote attack vector indicates the bug could be exploited without installing an app or without physical access to the device. This includes bugs that could be triggered by browsing to a web page, connecting to a hostile network, or bugs that can be exploited over BT or BLE connections. These include bugs that can be exploited only by an attacker who is physically near the target device, for example a bug that requires sending malformed Wi-Fi or Bluetooth packets.
Local attacks require the victim to install an app, and physical attack vectors are also considered local. These include bugs that can be exploited only by an attacker who has physical access to the device, for example a bug in a lock screen or one that requires plugging in a USB cable.
If the bug requires a feature that isn’t default on the device, it will reduce severity level by 1 (e.g. developer mode MLDB attacks).
User interaction required for the exploitation itself of a bug might reduce severity level by 1 (e.g. BT pairing).
A bug in the Android (AOSP) code base that is used by LuminOS isn’t eligible for an award and should be reported to Google.
However, if LuminOS claims to have a patch level or a fixed version of a project that is used and the fix is missing, we may reward for that.
Attacks against Magic Leap cloud infrastructure (AWS, GCP, etc.). See separate bounty program for Magic Leap cloud infrastructure.
Violations of licenses or other restrictions applicable to any vendor's product.
UI bugs & UX bugs (unless they are security related), and spelling mistakes.
Spam or social engineering techniques.
Security issues in third party services or applications not owned by Magic Leap. While we often care about vulnerabilities affecting services we use, we cannot guarantee our disclosure policies apply to services or applications from other companies.
Bugs or vulnerabilities must be reported strictly through the Bug Crowd platform. Bugs that were already disclosed publicly or are “out of scope” may not be rewarded.
Adhere to the Responsible Disclosure Guidelines (see below).
Only the first report of a verified bug will be rewarded. Bugs that are previously or publicly known will not qualify for a reward.
The reward amounts may change from time to time and will be paid according to the submission date.
Submissions that do not raise novel, unique or otherwise pertinent security issues won’t be entitled for rewards. (E.g. bugs unrelated to security vulnerabilities, click-jacking or phishing schemes, etc.)
If issues reported to our bug bounty program affect a third-party library, external project, or another vendor, Magic Leap reserves the right to forward details of the issue to that party without further discussion with the researcher. We will do our best to coordinate and communicate with researchers throughout this process.
We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Crimea, Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. There may be additional restrictions on your ability to enter depending upon your local law.
This is a discretionary rewards program (which means we may stop the rewards program at any time). You are responsible for all taxes associated with and imposed on any reward you may receive as part of this program, including tax implications based on your country of residency and citizenship. Researchers acknowledge and agree that regardless of receiving any rewards, any information and contents submitted to Magic Leap may be used by Magic Leap in its sole discretion to enhance the security of its products.
Of course, your testing must not violate any laws or regulations, or disrupt or compromise any data that is not your own; there may be additional restrictions in your territory relating to participation in a rewards program. You may not infringe or misappropriate any third party rights, including intellectual property rights. You may not send us any third party confidential information. If you inadvertently cause a privacy violation or disruption (such as accessing user data, service configurations, or other confidential information) while investigating an issue, you must disclose this in your report.
To avoid potential conflicts of interest, we will not grant rewards to anyone who has developed code for any devices or platforms covered by this program, including people who are employed by Magic Leap or companies that do work for Magic Leap (including any immediate family members of the foregoing).
Notwithstanding any restrictions in Magic Leap’s End User License Agreement related to technical limitations or software protection measures in the Lumin Software, you may use the Lumin Software solely for the purpose of identifying and submitting security vulnerabilities to Magic Leap as set forth in this program.
Provide details of the vulnerability, including all information needed to reproduce and validate the vulnerability and a Proof of Concept (PoC).
Keep information about the potential vulnerability discovered confidential between yourself and Magic Leap (via Bug Crowd) until we have a remedy or a fix in production and you have received our explicit written consent to disclose the vulnerability.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
For the purposes of this policy, you are not authorized to access user data or company data, including (but not limited to) personally identifiable information and data relating to an identified or identifiable natural person.
You must not further exploit a security issue you discover for any reason (other than in connection with your own device and for the sole purpose of submitting vulnerabilities under this program directly to us).
In response, we will do our part to investigate all valid reports, respond promptly and fix verified bugs in a reasonable timeframe.
Reports that contain the following items may be awarded the full ranges:
Exploitation proof of concept
Reproduction test (free of IP infringement)
Please note: This public program does not allow disclosure. You may not
release information about
vulnerabilities found in this program to the public.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
Contact us if you want more information.