Great news from Magento team for bug reporters.
Magento enhanced their Bug Bounty Program and joined HackerOne. Magento strives to minimize risks for the clients and encourages bug reporters to cooperate.
The updated version brings faster payments and issues verification, quicker reviews and responses to the reports, possibilities for future cooperation with Adobe.
The program rewards security research community for reported bugs that impact Magento Commerce, Magento Commerce Cloud, Magento Commerce B2B and Magento Open Source.
Magento web properties: magento.com, account.magento.com, enterprise.magento.com, magentocommerce.com, repo.magento.com, developer.magento.com, u.magento.com, imagine.magento.com and magentolive.com.
Other Magento domains, subdomains, 3rd party extensions are not included in the program and bugs which were found there won’t be rewarded. Nevertheless, Magento team welcomes responsible reports disclosing the vulnerabilities that impact these domains and extensions.
The program has already paid the reporters 26, 250 $. The average bounty range is 500 — 1000 $, top bounty range is 3.750 — 5000 $.
Bugcrowd platform will work in a read-only/open mode for some time to complete all the remaining payments to the existing contributors and move to the new HackerOne program.
The site is live now, so you can report bugs to hackerone.com/magento, where you can also find more detailed information about guidelines, program’s exclusions and policies. To join the program, you should fill the registration form or use your existing account.