Magento 2 Security Challenge Rules

September 15, 2015

By: Piotr Kaminski,
Magento Security Team





TERM:  The 2015 Magento Security Challenge begins September 16, 2015 at 9:00 AM and ends on October 16, 2015 at 11:59:00 p.m. US Pacific Time (the “Contest”).


HOW TO ENTER AND PARTICIPATE:  To participate, send an email with the subject line “Magento 2 Security Challenge” to during the Contest.  Your name and email address must be included in the body of your email with your entry. Entries not complying with these Official Rules are subject to disqualification, at the sole discretion of Magento, Inc. (“Magento”). 


All the entries will be scored based on the following criteria of risk, exploitability and submission quality:

  • Can the issue be reproduced in Magento 2?

  • Does it cause high risk or possible damage for the clients or store owners?

  • Does it affect a wide range of installations and is it easy to exploit?

  • Does the entry include proof-of-concept code, screenshot(s) or video showing the issue in action?

  • Does the entry provide information regarding how the vulnerability was found, including used tools or systems?

  • Does the entry provide a possible fix for the issue?



Prizes will be in the $100 - $5000 range, and up to $50,000 in prizes may be awarded.  Prize(s) are not transferable. Taxes are the sole responsibility of each winner.



LICENSE:  By entering the contest, all entrants agree to include an MIT software license for the source code included in their entry, if any. 


JUDGING:  The Contest consists of two (2) rounds of evaluation.  In Round One, entries will be removed from consideration if they do not meet all the minimum criteria described in these Official Rules, including being able to reproduce the issue in Magento 2.  In Round Two, the entries will be scored in the categories of (1) Risk, (2) Exploitability, and (3) Submission Quality. In the event of a tie, the tied entries will be reevaluated.  The entries with the highest combined score will be declared the winners.


WINNER DETERMINATION AND NOTIFICATION:  Winning participants will be notified by email on or about October 20, 2015.  Magento’s decisions are final in matters relating to this Contest.  Potential winners will be required to confirm their names and return any documents, properly executed, immediately upon issue of notification.  Non-compliance within this time frame or with the Official Rules, or undeliverability of a prize notification, will result in a potential winner being disqualified, and their prize being awarded to an alternate winner. Odds of winning depend upon the number of eligible entries received. 

ELIGIBILITY:  Employees, officers, and directors of Magento, any agents acting for, or on behalf of the above entity, any of the foregoing entities’ respective parents, officers, directors, subsidiaries, affiliated and/or related companies, licensees, entities associated with the development, implementation, handling, design, administration, and/or fulfillment of the Contest, and prize providers are ineligible to enter this Contest.  This Contest is open only to individuals who have reached the age of majority in their jurisdiction of residence at the time of entry and who do not reside in Burma, Cuba, Iran, North Korea, Sudan or Syria. Void where prohibited.  This Contest is subject to all applicable federal, state and local laws. U.S. law governs this Contest.


CONDITIONS OF PARTICIPATION: By entering, participants agree to be bound by these Official Rules including all eligibility requirements.  By accepting a prize, a winner consents to the use of his/her name, image, likeness, photograph, voice and biographical material and entry submission for advertising, publicity and promotional purposes by Magento, or a party designated by Magento, in any and all media now or hereafter known including, but not limited to, any online announcements, or for sharing this information with the press for viewing, whether TV or print, throughout the world in perpetuity, without additional compensation, notification or permission, except where prohibited by law.  Entrants agree to abide by the terms of these Official Rules and the decisions of Magento, which are final, and waive any right to claim ambiguity in these Official Rules.  Entrants agree that any and all disputes shall be governed by the laws of the State of California. 

LIMITATION OF LIABILITY:  PARTICIPANTS HEREBY AGREE TO RELEASE, INDEMNIFY AND HOLD MAGENTO, ITS RESPECTIVE PARENT COMPANIES, AFFILIATES, SUBSIDIARIES, DIVISIONS, ADVERTISING AND PROMOTION AGENCIES AND THEIR RESPECTIVE EMPLOYEES, OFFICERS, DIRECTORS, AGENTS, REPRESENTATIVES AND SHAREHOLDERS (COLLECTIVELY, THE “RELEASEES”) FROM ANY CLAIMS, ACTIONS, INJURY, LOSS OR DAMAGES OF ANY KIND, INCLUDING, BUT NOT LIMITED TO, PERSONAL INJURY OR DEATH, RESULTING FROM PARTICIPATING IN THE CONTEST OR FROM THE ACCEPTANCE, POSSESSION, OR USE OR MISUSE OF ANY PRIZE AWARDED OR PARTICIPATION IN ANY PRIZE-RELATED ACTIVITY.  THIS LIMITATION OF LIABILITY IS A COMPREHENSIVE LIMITATION OF LIABILITY THAT APPLIES TO ALL DAMAGES OF ANY KIND, INCLUDING (WITHOUT LIMITATION) COMPENSATORY, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES; LOSS OF DATA, INCOME, OR PROFIT; LOSS OR DAMAGE TO PROPERTY; AND CLAIMS OF THIRD PARTIES.  PARTICIPANTS AGREE THAT RELEASEES HAVE NOT MADE NOR ARE IN ANY MANNER RESPONSIBLE OR LIABLE FOR ANY WARRANTY, REPRESENTATION, OR GUARANTEE, STATUTORY, EXPRESS OR IMPLIED (INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE, AND FITNESS FOR A PARTICULAR PURPOSE), IN FACT OR IN LAW, RELATIVE TO THE CONTEST OR THE PRIZE AWARDED.  Releasees are not responsible for lost, late, incomplete, illegible, inaccurate, damaged, stolen or misdirected submissions, or problems of any kind, whether mechanical, human or electronic.  Releasees are not responsible for any human error which may occur in the Contest or in the processing of entries.  Releasees are not responsible for late, lost, incomplete, illegible, damaged or misdirected entries.  Entry materials that have been tampered with or altered are void.  Should any portion of the Contest be, in Magento’s sole opinion, compromised by non-authorized human intervention or other causes which, in the sole opinion of the Magento, corrupt or impair the administration, security, fairness, integrity or proper play, or submission of entries, or should the Contest be unable to run as planned for any other reason, Magento reserves the right at its sole discretion to terminate the Contest and, if terminated, at its discretion, select a potential winner in a random drawing from among all eligible, non-suspect entries received.  Magento’s failure to enforce any term of these Official Rules shall not constitute a waiver of such term or any other provision.  Magento reserves the right to disqualify any entrant/Participant who violates the rules or interferes with the Contest in any manner.  If an entrant/Participant is disqualified, Magento reserves the right to terminate such entrant’s/Participant’s eligibility to participate in the Contest.