Magento is a modern cloud commerce platform with an open-source ecosystem, and
is now part of the Adobe Experience Cloud. We value the contributions of the
security research community, and look forward to working with you to minimize
risk to our customers.
Please review the following guidelines before submitting your report:
- DO use HackerOne's email aliases feature
[username]@wearehackerone.com when registering your account instructions here.
- DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.
- DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.
- DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations.
- DO NOT cause potential or actual denial of service of Magento applications and systems.
- DO NOT use an exploit to view data without authorization or cause corruption of data.
- DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
- Magento Commerce, Magento Commerce Cloud, Magento Commerce B2B and Magento Open Source. Magento Commerce code will not be provided free of charge to researchers, but Open Source edition is freely available and shares much of the same code as Magento Commerce. NOTE: Bugs that impact both Magento Commerce and Magento Open Source (and/or any web properties utilizing Magento Commerce) will only be eligible for a single bounty payment.
- Magento web properties: magento.com, account.magento.com, enterprise.magento.com, magentocommerce.com, repo.magento.com, developer.magento.com, u.magento.com, imagine.magento.com and magentolive.com. NOTE: bugs that impact more than one domain will only be eligible for a single bounty payment. Bugs in other Magento sub-domains are NOT eligible for the program, nor are vulnerabilities in 3rd party web applications not developed by Magento.
- Scope includes both released version of Magento software, as well as pre-release (alpha, beta, RC, dev) versions.
Note: Issues outside of the defined scope (ex. other Magento products, other
domains or subdomains owned by Magento, bundled extensions, popular 3rd party
extension) will not be eligible for a reward, but but we welcome the
responsible disclosure of vulnerabilities impacting these domains or
When reporting vulnerabilities, please consider (1) attack scenario /
exploitability, and (2) security impact of the bug. The following issues are
considered out of scope:
- Vulnerabilities in custom code developed by merchants
- Vulnerabilities in extensions available from the extension market.
- Clickjacking on pages with no sensitive actions.
- Unauthenticated/logout/login CSRF.
- Attacks requiring MITM or physical access to a user's device.
- Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.
- Vulnerabilities that require extensive or obtuse social engineering. For example, a user typing an XSS into an input field, and then submitting the form to trigger a non-persistent XSS.
- Open Redirects/Forwards when leaving the site.
- Missing HTTP security headers, specifically http security headers __.
- Reports from automated scripts or scanners (without proof of exploitation).
Researchers who are the first to report a vulnerability will be the researcher
acknowledged in the release notes once the vulnerability is resolved. If there
are additional team members involved in researching the vulnerability, please
provide their name(s) and what their contribution was to the findings when
submitting this report.
Follow HackerOne's disclosure guidelines
Any activities conducted in a manner consistent with this policy will be
considered authorized conduct and we will not initiate legal action against
you. If legal action is initiated by a third party against you in connection
with activities conducted under this policy, we will take steps to make it
known that your actions were conducted in compliance with this policy.
Minors are welcome to participate in the program by submitting issues for
review. However, the Children's Online Privacy Protection Act (COPPA)
restricts our ability to collect personal information from children under 13,
so minors who are 12 years old or younger must have their parent or legal
guardian submit their information in order to claim a bounty.
This Program is not open to individuals who reside in Cuba, Iran, North Korea,
Sudan or Syria.