Magic Bug Bounty Program

###Magic

Magic is a developer SDK that empowers applications with passwordless authentication using magic links, WebAuthn, OAuth, and other authentication tools.

Magic also builds a robust and distributed key management solution that supports this authentication infrastructure.

When users want to sign up or log in to an application, the typical flow is:

• User enters email address
• User receives an email with a call to action (OTP code, magic link or additional methods)
• User verifies email address by responding to the call to action
• User is logged into the application

Fortmatic

Magic also supports and builds Fortmatic, a cryptocurrency wallet integrated with many leading blockchain companies around the world.

Goals

As part of Magic's mission and security overview, we want to improve the developer experience of authentication, while keeping security top of mind for all developers. We recognize the importance of maintaining security in our services in order to keep our users safe.

With this bounty program, we encourage researchers to discover security vulnerabilities in our systems. These can cover almost any aspect of the product, from SDKs, APIs, public-facing codebases, user interfaces, developer dashboards, and more.

Both Magic and Fortmatic's products and services are under scope for testing.

We’d like to highlight the following focus areas for this Bug Bounty Program:

• Developer’s and user’s sensitive or personal information
• Asset or Platform security
• Key Management systems
• New / Beta features

Response Targets

Magic will make a best effort to meet the following response targets for researchers participating in our program:

• Time to first response (from report submit) - 5 business days
• Time to triage (from first response) - 3 business days
• Time to remediate - Dependent on severity and complexity
• Time to bounty (from triage) - 10 business days

We will try to keep you informed about our progress throughout the process.

Program Policy

Complying with the Bug Bounty Program policy requires researchers to adhere to our requirements detailed below.

###Reporting Requirements

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

###Disclosure Requirements

• As part of the Magic Bug Bounty Program, researchers may not discuss, share or disclose the program or any vulnerabilities (even resolved ones) outside of the platform without express consent from the organization.
• Researchers may not profit from any discovered vulnerabilities or report vulnerabilities with conditions, demands or ransom threats.
• For additional guidelines on Disclosure, follow disclosure guidelines.
• For testing Magic, follow the Magic Developer Terms & Conditions
• For testing Magic, follow the Magic Developer API & SDK License Agreement
• For testing Fortmatic, follow the Fortmatic Developer Terms & Conditions
• For testing Fortmatic, follow the Fortmatic Developer API & SDK License Agreement

###Research Requirements

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
• Do not perform testing on Out of Scope assets or vulnerabilities. Reports for out of scope assets or vulnerabilities will be closed as N/A. Social engineering (e.g. phishing, vishing, smishing) is prohibited.

Failure to comply with the Bug Bounty Program or any of the requirements or policies leads to automatic ineligibility for payouts.

##In Scope Vulnerabilities

For this bug bounty program, all software vulnerabilities are considered in scope unless specified below. Please refer to the structured scopes section to find our in-scope assets.

##Out of Scope Vulnerabilities

• Attacks resolved by rate limiting
• Hijacking developer API public keys
• Domain spoofing
• DDoS on our systems as well as our providers systems (i.e SMS provider)
• Social engineering
• Physical security
• Previously known vulnerable libraries without a working Proof of Concept
• Non-security-impacting UX issues
• Man-in-the-Middle attacks
• Ability to abuse any existing blockchain functionality
• Features/links that lead to or are provided by external providers i.e our Typeform integrations, docs.fortmatic.com?ref=h1, etc.
• Race conditions are out of scope unless they result in:
  • Unauthorized transfer or theft of user funds/crypto assets
  • Exposure of private keys, credentials, or other sensitive data

##Out of Scope Assets

• Please refer to the structured scopes section.
• Any other subdomain that is not listed in the structured scopes section will be considered out of scope

#How To Get Started Researchers will require the following to be able to conduct research:

###Create Your Test Account

The best way to get started with the program is to navigate to our Magic developer dashboard or Fortmatic developer dashboard and sign-up for a developer account. This will give you access to API keys which can be used to access our assets as well as a comprehensive set of docs to get started. Furthermore, as the dashboard is an in-scope asset, you may just find inspiration for a vulnerability while signing up and familiarizing yourself with its features.

###Create Your dApp Please visit our Magic documentation or Fortmatic documentation to get you set up with our products (you'll be up and running in <5 minutes).

Safe Harbor

To encourage responsible disclosures, we will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider security research and vulnerability disclosure activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA and applicable anti-hacking laws such as Cal. Penal Code 502(c). We waive any DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope. If legal action is initiated by a third party against you and you have complied with this bug bounty policy, we will take steps to make it known that your actions were conducted in compliance with this policy. Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities. You are expected, as always, to comply with all applicable laws. Please submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.

This document contains material from the #legalbugbounty project, which can be found on github.

Privacy Policy

The collection of information in Magic's product is bound by the terms described in our Privacy Policy