Security | Magento

Security Center

Reporting a Security Issue

Our team of security professionals works hard to keep Magento customer information secure. What's equally important to protecting this data? Our security researchers and user community. If you find a site that isn't following our policies, or a vulnerability inside our system, please tell us right away.

To report security vulnerabilities in Magento software or web sites, use the eBay Inc. Bug Bounty tool. A list of sites eligible for bounties and the vulnerability classes that are in scope are detailed below.

To report any other security-related issues, please email security@magento.com. Be sure to encrypt your email with our encryption key if it includes sensitive info.

Bug bounty submissions will NOT be accepted via email; they must be submitted using the bounty tool in order to be eligible for payment.

Responsible Disclosure Guidelines

Please help limit the impact that vulnerability reporting has on the Magento community:

  • Share the security issue with us before making it public on message boards, mailing lists, or other forums.
  • Allow us reasonable time to respond to the issue before making it public.
  • Provide full details of the issue using the bug bounty tool, including:
    • A summary of the security vulnerability and impact.
    • Components or pages affected.
    • Instructions for reproducing the issue.
Unacceptable Security Research

Do not engage in security research that involves:

  • Potential or actual denial of service of Magento applications and systems.
  • Use of an exploit to view data without authorization.
  • Corruption of data.
  • Automated/scripted testing of web forms, especially "Contact Us" forms that are designed for customers to contact our support team.
Bug Bounty Payment Schedule

You may be eligible to receive a monetary reward, or “bounty,” if: (i) you are the first person to submit a site or product vulnerability; (ii) that vulnerability is determined to be a valid security issue by the security team; and (iii) you have complied with all Program Terms.

Estimated payout ranges (in USD) for in-scope vulnerabilities are as follows:

Vulnerability Tier 1 Applications Tier 2 Applications
Information Disclosure (PII, passwords, or credit card data) Up to $10,000 Up to $5,000
Remote Code Execution Up to $10,000 Up to $2,500
Privilege Escalation Up to $5,000 Up to $1,000
SQL Injection Up to $5,000 Up to $1,000
Cross-Site Request Forgery (CSRF) Up to $5,000 Up to $500
Cross-Site Scripting (XSS) $1000 $500
Clickjacking $500 $100

The following domains and applications are in scope for the program. If the domain is not explicitly listed here, it should not be considered in scope for the program and should NOT be tested.

IMPORTANT NOTICE: Due to the shutdown of Magento Go and ProStores, submissions for these applications will be accepted only through July 31, 2014. We will not pay bounties on submissions after that date but will accept responsible disclosures at ebayincbugbounty@ebay.com.

Tier 1 Applications Tier 2 Applications
Magento EE/CE
  • The scope includes vulnerabilities in the out-of-the box versions of Enterprise Edition and Community Edition. The EE code will not be provided free of charge to researchers, but CE is freely available and uses much of the same code as EE.
  • The scope does NOT include vulnerabilities in custom code developed by merchants and does NOT include extensions in the extension market.
  • Researchers MUST NOT test existing merchants' stores without explicit permission from the owner. Researchers may perform their testing against their own local installations.
  • The same bug WILL NOT be eligible for bounties in both EE and CE if it affects both products. Such a bug will only be eligible for a single bounty payment.
  • Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) will NOT be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow.
  • When submitting Magento EE/CE bugs, please input http://www.magentoproducts.com within the Web Address on the bug submission page so we can more effectively triage them.
magento.com, enterprise.magento.com, magentocommerce.com
  • The same bug WILL NOT be eligible for bounties on two or more of these domains. Such a bug will only be eligible for a single bounty payment.
  • Subdomains (other than www.) of these domains are NOT eligible for the program.
Magento Go - (*.gostorego.com)
  • Researchers MUST register their own trial stores in order to perform testing on the Go platform. NO testing of any kind may be performed by researchers against stores they did not register themselves, especially existing stores belonging to real merchants. Researchers are encouraged to name their stores in such a way that they're easily identifiable as their own. Bugs will NOT be accepted in stores not owned by the researcher; such research may result in disqualification for future bounties.
  • Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) will NOT be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. Merchants may configure their stores to use their own domains if they are concerned about the risk of XSS attacks against their customers or store.
  • The same bug WILL NOT be eligible for bounties on both the .com and the .co.uk domains, or any subdomains thereof. Such a bug will only be eligible for a single bounty payment. For example: store1.gostorego.com, store2.gostorego.co.uk, and store3.gostorego.com are all considered the same domain running the same code for the purposes of the bounty program.
imagineecommerce.com
  • Domains linked from this site are NOT in scope unless they are explicitly mentioned on this page. Many of these sites are run by third parties outside of eBay and MUST NOT be tested without explicit permission from the site owners.

IMPORTANT NOTICE: Due to the shutdown of Magento Go and ProStores, submissions for these applications will be accepted only through July 31, 2014. We will not pay bounties on submissions after that date but will accept responsible disclosures at ebayincbugbounty@ebay.com.

Prostores - (mystore.prostores.com, store0*.prostores.com)
  • Researchers must register their own trial stores in order to perform testing on the ProStores platform. As long as each account is cancelled before 30 days, there will be no charge. NO testing of any kind may be performed by researchers against stores they did not register themselves, especially existing stores belonging to real merchants. Researchers are encouraged to name their stores in such a way that they're easily identifiable as their own. Bugs will NOT be accepted in stores not owned by the researcher; such research may result in disqualification for future bounties.
  • Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /Admin/) will NOT be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. Merchants may configure their stores to use their own domains if they are concerned about the risk of XSS attacks against their customers or store.
  • The same bug WILL NOT be eligible for bounties on two or more subdomains. Such a bug will only be eligible for a single bounty payment. For example: store01.prostores.com, store02.prostores.com, and mystore.prostores.com are all considered the same domain running the same code for the purposes of the bounty program.
 

IMPORTANT NOTICE: Due to the shutdown of Magento Go and ProStores, submissions for these applications will be accepted only through July 31, 2014. We will not pay bounties on submissions after that date but will accept responsible disclosures at ebayincbugbounty@ebay.com.