Magento Security Center
Magento Security Alert Registry
Your security is our primary concern. Occasionally our security, and yours, can be affected by outside forces. If that happens, we endeavor to make you the first to know.
Join Magento's Security Alert Registry to get the latest information on all potential vulnerabilities.
As part of our ongoing commitment to excellence in platform security and performance, we periodically release patches that address specific issues and update the code. We recommend that you install any security-related patch as soon as possible:
Reporting a Security Issue
Our team of security professionals works hard to help keep Magento secure. What's equally important to protecting this data? Our security researchers and user community. If you find a site that isn't following security best practices, or a vulnerability inside our system, please tell us right away.
Responsible Disclosure Guidelines
Please help limit the impact that vulnerability reporting has on the Magento community:
- Share the security issue with us before making it public on message boards, mailing lists, or other forums.
- Allow us reasonable time to respond to the issue before making it public.
- Provide full details of the issue using the bug bounty tool, including:
- A summary of the security vulnerability and impact.
- Components or pages affected.
- Instructions for reproducing the issue.
Unacceptable Security Research
Do not engage in security research that involves:
- Potential or actual denial of service of Magento applications and systems.
- Use of an exploit to view data without authorization.
- Corruption of data.
- Automated/scripted testing of web forms, especially "Contact Us" forms that are designed for customers to contact our support team.
Bug Bounty Payment Schedule
You may be eligible to receive a monetary reward, or “bounty,” if: (i) you are the first person to submit a site or product vulnerability; (ii) that vulnerability is determined to be a valid security issue by the security team; and (iii) you have complied with all Program Terms.
Estimated payout ranges (in USD) for in-scope vulnerabilities are as follows:
|Vulnerability||Tier 1 Applications||Tier 2 Applications|
|Information Disclosure (PII, passwords, or credit card data)||Up to $10,000||Up to $5,000|
|Remote Code Execution||Up to $10,000||Up to $2,500|
|Privilege Escalation||Up to $5,000||Up to $1,000|
|SQL Injection||Up to $5,000||Up to $1,000|
|Cross-Site Request Forgery (CSRF)||Up to $5,000||Up to $500|
|Cross-Site Scripting (XSS)||$1,000||$500|
The following domains and applications are in scope for the program. If the domain is not explicitly listed here, it should not be considered in scope for the program and should NOT be tested.
Tier 1 Applications - Magento Enterprise Edition and Magento Community Edition
- The scope includes vulnerabilities in the out-of-the box versions of Enterprise Edition and Community Edition. The Enterprise Edition code will not be provided free of charge to researchers, but Community Edition is freely available and uses much of the same code as Enterprise Edition.
- The scope does NOT include vulnerabilities in custom code developed by merchants and does NOT include extensions in the extension market.
- Researchers MUST NOT test existing merchants' stores without explicit permission from the owner. Researchers may perform their testing against their own local installations.
- The same bug WILL NOT be eligible for bounties in both Enterprise Edition and Community Edition if it affects both products. Such a bug will only be eligible for a single bounty payment.
- Cross-Site Scripting (XSS) bugs in the admin interface (URLs containing /admin/) will NOT be accepted. Merchants are explicitly allowed to use active content when designing their stores, so this is a required feature. The admin XSS capability does not give the administrator any additional powers to do harm beyond what other administrative features already allow.
- When submitting Magento Enterprise Edition/Community Edition bugs, please input http://www.magentoproducts.com within the Web Address on the bug submission page so we can more effectively triage them.
Tier 2 Applications - magento.com, enterprise.magento.com, magentocommerce.com
- The same bug WILL NOT be eligible for bounties on two or more of these domains. Such a bug will only be eligible for a single bounty payment.
- Subdomains (other than www.) of these domains are NOT eligible for the program.