Adobe, recent new owner of ecommerce platform Magento, is about to end one of the most celebrated initiatives in open source ecommerce security: the bug bounty program. Magento introduced the bug bounty program a couple of years ago, presumably incentivized by the enormous damage Remote Code Execution vulnerability “Shoplift” caused. Reported critical bugs and vulnerabilities in Magento, often discovered by community members, were rewarded with monetary compensation. The program was a huge success. It made sure 284 bugs were not found and abused by crooks, but fixed by Magento and the community. It prevented credit card data from getting stolen. It prevented merchants and agencies from wasting time and money fire fighting effective hacks. It prevented Magento and ecommerce for getting a bad name with shoppers. It prevented damage worth at least millions of dollars. And now Adobe is closing the program, one of their first actions as new owner that really affects the community.
[updated 21:55 12-09-18: Jason Woosley announces Adobe will continue bug bounty program for Magento!]
The demise of #BugBounty at @Magento has been greatly exaggerated. Yesterday we announced the transition of this program to the @Adobe @HackerOne system. We failed to mention that we will continue to pay out for this incredibly valuable work. Hack on!
— Jason Woosley (@jasonwoosley_mg) 12 september 2018
Adobe announced that from September 15th on (that’s 3 days from now!) they’re consolidating the BugCrowd program to align with Adobe’s established vulnerability disclosure program on HackerOne. Adobe doesn’t hand out monetary rewards for reported bugs. Piotr Kaminski, Lead Product Manager for Magento, confirmed on Twitter that from September 15th on, this will also be the case for Magento bugs.
This is correct. Unfortunately this is not a paid program. However Flash bugs were probably also worth quite a lot (at least on Zerodium) and they got reported. There are also positive sides in other security areas.
— Piotr Kaminski (@piotrekkaminski) 11 September 2018
And sure, although some people will definitely still report their issues to the right people for a chance to gain karma points and improve security, even the most optimistic of us will understand there will be less white hat hackers on the lookout for ways to abuse Magento. This will give malicious hackers more possible keys to enter, take over and ultimately rob Magento shops. As MageReport founders we can testify the bug bounty program has been vital for the security of Magento and we profoundly regret this decision.
Please help us voice the importance of the bug bounty program by expressing your concern in the Twitter poll below.
— Hypernode (@Hypernode_com) 12 september 2018