Banner object (1)

Hack and Take the Cash !

794 bounties in database
  Back Link to program      
Magento logo
Hall of Fame


100 $ 


Magento is a modern cloud commerce platform with an open-source ecosystem and is now part of the Adobe Experience Cloud. We value the contributions of the security research community and look forward to working with you to minimize risk to our customers.


Please review the following guidelines before submitting your report:

  • DO use HackerOne's email aliases feature [username] when registering your account instructions here.
  • DO include technical details about your finding, proof-of-concept URL(s), screenshots and reproducible steps. If the report is not detailed enough to reproduce the issue, triage will be delayed and the issue may not be eligible for a reward.
  • DO submit one vulnerability per report (unless you need to chain vulnerabilities to provide impact). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.
  • DO NOT test existing merchant’s stores without explicit permission from the owner. Researchers may perform their testing against their own local installations.
  • DO NOT cause a potential or actual denial of service of Magento applications and systems.
  • DO NOT use an exploit to view data without authorization or cause corruption of data.
  • DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.


  • Magento Commerce, Magento Commerce Cloud, Magento Commerce B2B, and Magento Open Source. Magento Commerce code will not be provided free of charge to researchers, but Open Source edition is freely available and shares much of the same code as Magento Commerce. NOTE: Bugs that impact both Magento Commerce and Magento Open Source (and/or any web properties utilizing Magento Commerce) will only be eligible for a single bounty payment.
  • Magento web properties:,,,,,,, and NOTE: bugs that impact more than one domain will only be eligible for a single bounty payment. Bugs in other Magento sub-domains are NOT eligible for the program, nor are vulnerabilities in 3rd party web applications not developed by Magento.
  • Scope includes both released version of Magento software, as well as pre-release (alpha, beta, RC, dev) versions.

Note: Issues outside of the defined scope (ex. other Magento products, other domains or subdomains owned by Magento, bundled extensions, popular 3rd party extension) will not be eligible for a reward, but we welcome the responsible disclosure of vulnerabilities impacting these domains or extensions.


When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  • Vulnerabilities in custom code developed by merchants.
  • Vulnerabilities in extensions available from the extension market.
  • Clickjacking on pages with no sensitive actions.
  • Vulnerabilities that require disabling security features enabled in default configurations.
  • Unauthenticated/logout/login CSRF.
  • Attacks requiring MITM or physical access to a user's device.
  • Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) where the code is only executed in front-end context but not in admin context. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow. XSS issues where an administrator with limited access can impact other administration pages are valid.
  • Vulnerabilities that require extensive or obtuse social engineering. For example, a user typing an XSS into an input field, and then submitting the form to trigger a non-persistent XSS.
  • Open Redirects/Forwards when leaving the site.
  • Missing HTTP security headers, specifically http security headers __.
  • Reports from automated scripts or scanners (without proof of exploitation).

Program Policies

Researchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.

Disclosure Policy

Follow HackerOne's disclosure guidelines __.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.


Minors are welcome to participate in the program by submitting issues for review. However, the Children's Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty.

Ineligible participants

This Program is not open to individuals who reside in Cuba, Iran, North Korea, Sudan or Syria.

In Scope

Scope Type Scope Name

Magento 1 Enterprise (Commerce) and Community (Open Source) Editions


Magento 2 Commerce, Commerce B2B and Open Source









This program crawled on the 2019-01-29 is sorted as bounty.

FireBounty © 2015-2020

Legal notices