Magento won’t ditch ‘bug bounty’ scheme after all
Ecommerce platform provider Magento will not be ending its bug bounty program after all following an uproar from users. The scheme rewarded benevolent hackers and developers who receive between $100 to $10,000 for reporting a coding weakness with the software.
The announcement was made on the bug bounty program (BBP) page on Bugcrowd. That’s a dedicated online platform for submitting security bugs. They originally said the program would end on September 15th with the Magento program being rolled into the Adobe scheme which doesn’t reward informants. Happily that decision has now been revoked.
Adobe bought Magento earlier this year for $1.68 billion. Many of the critics angry about the axing of the scheme said that the move was a shift away from Magento’s roots and further proof that Adobe didn’t fully understand the open-source platform it has acquired.
We realize our announcement on September 10 about aligning the Magento bug bounty program to the Adobe vulnerability disclosure program has caused concerns. We want to make it clear that we will carry over the existing bounty payment schedule to newly reported Magento bugs to the Adobe program. We look forward to continuing our collaboration with the security research community to improve the security of the Magento platform.
It’s good to see a reversal of this policy for several reasons. Firstly, it was a shoddy idea to ditch what was a respected and effective bug hunting scheme in the first place. Merchants enjoyed huge benefits, on more than one occasion from vulnerabilities spotted by bug-hunters, most notably the Shoplift problem.
But perhaps more heartening is the fact that despite being owned by Adobe, a much bigger and presumably less nimble operation, they have had courage and sense enough to reverse the decision. Judging by the response online, from the vocal community of bug hunters, this is a welcome change that will hopefully keep the system secure.