New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

Join the Magento 2 Security Challenge

September 16, 2015

By: Piotr Kaminski,
Magento Security Team

As part of the Magento 2 development process, we have been conducting a wide range of security tests and working with an external penetration testing firm. Now, we’d like to invite the Magento community to help us identify potential security vulnerabilities by participating in the Magento 2 Security Challenge.  Here’s how to get involved:

 

Contest Dates: September 16, 2015 – October 16, 2015

 

Scope: Magento 2 software, which is available on GitHub at https://github.com/magento/magento2 or as a Vagrant image at https://github.com/rgranadino/mage2_vagrant.

 

Prizes: Individual prizes range from $100 to $5,000, and up to $50,000 in prizes may be awarded

 

Judging Criteria:

All the entries will be scored based on the following criteria of risk, exploitability and submission quality:

  • Can the issue be reproduced in Magento 2?

  • Does it cause high risk or possible damage for the clients or store owners?

  • Does it affect a wide range of installations and is it easy to exploit?

  • Does the entry include proof-of-concept code, screenshot(s) or video showing the issue in action?

  • Does the entry provide information regarding how the vulnerability was found, including used tools or systems?

  • Does the entry provide a possible fix for the issue?

 

 

How to Enter: You should submit Magento 2 security bugs to security@magento.com with Magento 2 Security Challenge in the title. Be sure to encrypt your email with our encryption key if it contains sensitive information. The submission should include a summary of the security vulnerability and how it can be exploited, an assessment of the risk level, and instructions for reproducing the issue. Please document the issue with videos or screenshots so that we can quickly reproduce it.

 

We ask that you do not share your discoveries publicly without our written permission. You will be acknowledged for your contributions to Magento 2 security when the product is released.

 

Full contest rules are posted at http://magento.com/security/news/magento-2-security-challenge-rules.

 

We are looking forward to reviewing your submissions!