Bug Bounties


Powered by: 

Allows bounty splitting: 

Average time to first program response: 

Average time to bounty awarded null: 

Average time to report resolved: 

Handle openmage

Managed program: false

Name: OpenMage

Offers bounties: false

Offers swag: false

Response efficiency percentage: 67

Submission state: open

Url: https://hackerone.com/openmage

Website: https://www.openmage.org/

In scope:

  • Asset identifier: https://demo.openmage.org/
  • Asset type: URL
  • Availability requirement: none
  • Confidentiality requirement: low
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: This "demo site" is the OpenMage LTS source code hosted on a server donated by a third-party. It does not contain sensitive data but for the purpose of this program may be considered as a live shopping cart target. Only the website on **port 443** is in-scope for this HackerOne program! **Please do not connect to or scan any ports other than 443.** *Reports that are not applicable to the web service on port 443 will be closed as Not Applicable.* Please do not report other issues that might be expected to be handled on a production-grade installation such as: - Lack of rate-limiting - Lack of intrusion detection/prevention - Lack of anti-spam measures - Lack of other features like 2FA which would improve security *We are aware of these shortcomings but are interested in the security of the OpenMage LTS software as it relates to the functioning of the open-source source code and consider these features to be outside the scope of this software project.* In general, we consider the session IDs (the value in the `om_frontend` or `adminhtml` cookies) to be safely stored in the browser (the cookies have the HttpOnly and Secure flags) and safely transmitted to the server over https. We are not interested in vulnerabilities caused by the user's system or network being deeply compromised such that these session IDs become known to the attacker (session fixation). Reports with this premise will be closed as Not Applicable.
  • Integrity requirements: low
  • Max severity: medium

  • Asset identifier: https://github.com/OpenMage/magento-lts
  • Asset type: SOURCE_CODE
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: The source code for OpenMage LTS is provided via github.com/OpenMage/magento-lts and is publicly available. The attack surface for this source code can vary widely based on how it is deployed. If there is a security vulnerability with a specific installation that does not widely affect other OpenMage LTS users please disclose the issue directly to the affected party. The OpenMage program covers only vulnerabilities that exist within the source code that is available on github.com/OpenMage/magento-lts and you are responsible for setting up your own test environment to hack on this source code.
  • Integrity requirements: high
  • Max severity: critical