Uproar after Adobe winds down Magento rewards-based bug bounty program

Adobe announces plans to integrate Magento bug bounty program into existing vulnerabilities disclosure platform that offers no monetary rewards to bug hunters.
Written by Catalin Cimpanu, Contributor

The tightly-knit bug-hunting community is in an uproar over Adobe's decision to end the Magento rewards-based bug bounty program that's been active for the past three years.

In a message posted on the official Magento bug bounty program (BBP) page on Bugcrowd, an online platform for submitting security bugs, Adobe says that will end the program on September 15.

Adobe, which bought the Magento e-commerce platform and its associated open-source CMS for $1.68 billion in May, plans to integrate it into its existing HackerOne-based vulnerability disclosure program (VDP).

The difference between the two, a BBP and a VDP, is that bug hunters receive monetary rewards for reporting vulnerabilities via BBPs, while VDPs don't offer such rewards, but merely public acknowledgment in the researcher's name.

Also: Microsoft details for the first time how it classifies Windows security bugs

Adobe follows this policy as well, and Adobe's VDP clearly states this right in the first paragraph of the company's HackerOne page. This is the standard policy at Adobe, and the company previously wound down all monetary rewards programs in 2016, when it shut down the Adobe Flash Player bug bounty in August of that year.

"Currently, we at Adobe invest significant resources both internally as well as through consulting and crowd-sourced engagements, including penetration testing, with the security research community on extensive testing as a critical component of the Adobe Secure Product Lifecycle (or SPLC)," an Adobe spokesperson told ZDNet via email last night.

"We acknowledge and give recognition to researchers and other external resources who provide vulnerability reports in our security bulletins and a variety of other means," the company added.

Also: Feedify becomes latest victim of the Magecart malware campaign

But the bug hunting community is not at all happy with Adobe's decision.

Willem de Groot, a well-known security researcher who has uncovered a large number of Magento-based malware campaigns said the company would regret its decision in a short amount of time.

"Adobe isn't used to open source projects with high value security stakes," the expert commented on Twitter.

"A Magento 0day RCE makes ~$100K on the black market. The bug bountry program was a huge success, with security researchers lining up to hand in their exploits for a few [thousands]," de Groot added. "A real bargain, now down the drain."

Hypernode, a cloud hosting platform for Magento shops ran a Twitter poll earlier today asking for community feedback in regards to the bug bounty program's closure.

At the time of this article, 93 percent of respondents considered Adobe's move as a mistake and would want the program to make a comeback.

Hypernode, which tipped off ZDNet about the bug bounty program's fate, also plans on publishing a blog post with the company's opinion on the issue later today. [Update: the blog post is now live]

Also: Exploit vendor drops Tor Browser zero-day on Twitter

"This is a funny story, indeed. They went from a bug bounty program to not even paying bounties to researchers, just because they can," Andrea Zapparoli Manzoni, Director at Crowdfense, a platform that buys vulnerabilities and exploits from researchers and sells them to private customers, told ZDNet via email today.

"Software vendors are demonstrating again and again that they don't care about their users' security *at all*, they only pretend to do it for marketing / PR reasons," he added.

But bug hunters looking to sell their Magento vulnerabilities are out of luck, or at least with Manzoni's company.

"Crowdfense does not deal with [Magento] exploits *at all*," Manzoni said. "We only focus on supporting the lawful information gathering activities of our customers, which are government agencies, so for us these kind of targets [online stores] are completely out of scope."

This means that bug hunters looking to make a profit of their work, will be more likely inclined to selling exploits on the black market, such as hacking forums and dark web marketplaces.

Buyers exist galore, especially after cyber-criminal operations like Magecart, Visbot, or MagentoCore have proven to be quite successful at hacking Magento shops and infecting stores with card-stealing malware.

The Magento bug bounty program was established circa 2014. Since the program began being hosted on Bugcrowd, the Magento team rewarded 284 researchers with payouts ranging from $100 to $10,000 per vulnerability report. The biggest Magento security crisis took place in 2015 after Check Point researchers discovered the Shoplift vulnerability in the Magento CMS. The vulnerability plagued hundreds of thousands of Magento sites for years after its discovery.

UPDATE, September 12, 18:20 ET: Following ZDNet's coverage, the Adobe team has changed heart and decided to continue to operate the Magento bug bounty program under its existing terms as a monetary-based bug bounty system. An Adobe spokesperson provided the following updated statement, later confirmed by an Adobe executive on Twitter.

"We realize our announcement on September 10 about aligning the Magento bug bounty program to the Adobe vulnerability disclosure program has caused concerns. We want to make it clear that we will carry over the existing bounty payment schedule to newly reported Magento bugs to the Adobe program. We look forward to continuing our collaboration with the security research community to improve the security of the Magento platform."

Editorial standards