[{"id":3760029,"new_policy":"# Magic Bug Bounty Program\n\n###Magic\n\nMagic is a developer SDK that empowers applications with passwordless authentication using magic links, WebAuthn, OAuth, and other authentication tools.\n\nMagic also builds a robust and distributed key management solution that supports this authentication infrastructure.\n\nWhen users want to sign up or log in to an application, the typical flow is:\n\n- User enters email address\n- User receives an email with a call to action (OTP code, magic link or additional methods)\n- User verifies email address by responding to the call to action\n- User is logged into the application\n\n\n### Fortmatic\n\nMagic also supports and builds [Fortmatic](https://fortmatic.com), a cryptocurrency wallet integrated with many leading blockchain companies around the world.\n\n# Goals\n\nAs part of Magic's [mission](https://magic.link/docs/introduction/security) and [security overview](https://magic.link/docs/introduction/security), we want to improve the developer experience of authentication, while keeping security top of mind for all developers. We recognize the importance of maintaining security in our services in order to keep our users safe.\n\nWith this bounty program, we encourage researchers to discover security vulnerabilities in our systems. These can cover almost any aspect of the product, from SDKs, APIs, public-facing codebases, user interfaces, developer dashboards, and more.\n\nBoth [Magic](https://magic.link) and [Fortmatic](https://fortmatic.com)'s products and services are under scope for testing.\n\nWe’d like to highlight the following focus areas for this Bug Bounty Program:\n\n- Developer’s and user’s sensitive or personal information\n- Asset or Platform security\n- Key Management systems\n- New / Beta features\n\n## Response Targets\nMagic will make a best effort to meet the following response targets for researchers participating in our program:\n\n- Time to first response (from report submit) - 5 business days\n-  Time to triage (from first response) - 3 business days\n- Time to remediate - Dependent on severity and complexity\n-  Time to bounty (from triage) - 10 business days\n\nWe will try to keep you informed about our progress throughout the process.\n\n# Program Policy\nComplying with the Bug Bounty Program policy requires researchers to adhere to our requirements detailed below.\n\n###Reporting Requirements\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n###Disclosure Requirements\n\n- As part of the Magic Bug Bounty Program, researchers may not discuss, share or disclose the program or any vulnerabilities (even resolved ones) outside of the platform without express consent from the organization.\n- Researchers may not profit from any discovered vulnerabilities or report vulnerabilities with conditions, demands or ransom threats.\n- For additional guidelines on Disclosure,  follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n- For testing Magic, follow the Magic  [Developer Terms \u0026 Conditions](https://magic.link/legal/developer-terms)\n- For testing Magic, follow the Magic [Developer API \u0026 SDK License Agreement](https://magic.link/legal/developer-license-agreement)\n- For testing Fortmatic, follow the Fortmatic [Developer Terms \u0026 Conditions](https://www.fortmatic.com/legal/developer-terms-conditions)\n- For testing Fortmatic, follow the Fortmatic [Developer API \u0026 SDK License Agreement](https://www.fortmatic.com/legal/developer-license-agreement)\n\n###Research Requirements\n\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n- Do not perform testing on Out of Scope assets or vulnerabilities. Reports for out of scope assets or vulnerabilities will be closed as N/A.\nSocial engineering (e.g. phishing, vishing, smishing) is prohibited.\n\nFailure to comply with the Bug Bounty Program or any of the requirements or policies leads to automatic ineligibility for payouts.\n\n##In Scope Vulnerabilities\n\nFor this bug bounty program, all software vulnerabilities are considered in scope unless specified below. Please refer to the [structured scopes section](https://hackerone.com/magic-bbp/policy_scopes) to find our in-scope assets. \n\n##Out of Scope Vulnerabilities\n\n- Attacks resolved by rate limiting\n- Hijacking developer API public keys\n- Domain spoofing\n- DDoS on our systems as well as our providers systems (i.e SMS provider)\n- Social engineering\n- Physical security\n- Previously known vulnerable libraries without a working Proof of Concept\n- Non-security-impacting UX issues\n- Man-in-the-Middle attacks\n- Ability to abuse any existing blockchain functionality\n- Features/links that lead to or are provided by external providers i.e our Typeform integrations, docs.fortmatic.com?ref=h1, etc.\n- Race conditions are out of scope unless they result in:\n  - Unauthorized transfer or theft of user funds/crypto assets\n  - Exposure of private keys, credentials, or other sensitive data\n\n##Out of Scope Assets\n- Please refer to the [structured scopes section](https://hackerone.com/magic-bbp/policy_scopes).\n- Any other subdomain that is not listed in the [structured scopes section](https://hackerone.com/magic-bbp/policy_scopes) will be considered out of scope\n\n#How To Get Started\nResearchers will require the following to be able to conduct research:\n\n###Create Your Test Account\n\nThe best way to get started with the program is to navigate to our [Magic developer dashboard](https://dashboard.magic.link/signup) or [Fortmatic developer dashboard](https://dashboard.fortmatic.com/login) and sign-up for a developer account. This will give you access to API keys which can be used to access our assets as well as a comprehensive set of docs to get started. Furthermore, as the dashboard is an in-scope asset, you may just find inspiration for a vulnerability while signing up and familiarizing yourself with its features.\n\n###Create Your dApp\nPlease visit our [Magic documentation](https://magic.link/docs/home/welcome) or [Fortmatic documentation](https://docs.fortmatic.com/) to get you set up with our products (you'll be up and running in \u003c5 minutes).\n\n# Safe Harbor\nTo encourage responsible disclosures, we will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider security research and vulnerability disclosure activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA and applicable anti-hacking laws such as Cal. Penal Code 502(c). We waive any DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\nIf legal action is initiated by a third party against you and you have complied with this bug bounty policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\nYou are expected, as always, to comply with all applicable laws.\nPlease submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThis document contains material from the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) project, which can be found on [github](https://github.com/EdOverflow/legal-bug-bounty).\n\n# Privacy Policy\n\nThe collection of information in Magic's product is bound by the terms described in our [Privacy Policy](https://magic.link/legal/privacy-policy)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-07-25T16:51:57.836Z"},{"id":3760027,"new_policy":"# Magic Bug Bounty Program\n\n###Magic\n\nMagic is a developer SDK that empowers applications with passwordless authentication using magic links, WebAuthn, OAuth, and other authentication tools.\n\nMagic also builds a robust and distributed key management solution that supports this authentication infrastructure.\n\nWhen users want to sign up or log in to an application, the typical flow is:\n\n- User enters email address\n- User receives an email with a call to action (OTP code, magic link or additional methods)\n- User verifies email address by responding to the call to action\n- User is logged into the application\n\n\n### Fortmatic\n\nMagic also supports and builds [Fortmatic](https://fortmatic.com), a cryptocurrency wallet integrated with many leading blockchain companies around the world.\n\n# Goals\n\nAs part of Magic's [mission](https://magic.link/docs/introduction/security) and [security overview](https://magic.link/docs/introduction/security), we want to improve the developer experience of authentication, while keeping security top of mind for all developers. We recognize the importance of maintaining security in our services in order to keep our users safe.\n\nWith this bounty program, we encourage researchers to discover security vulnerabilities in our systems. These can cover almost any aspect of the product, from SDKs, APIs, public-facing codebases, user interfaces, developer dashboards, and more.\n\nBoth [Magic](https://magic.link) and [Fortmatic](https://fortmatic.com)'s products and services are under scope for testing.\n\nWe’d like to highlight the following focus areas for this Bug Bounty Program:\n\n- Developer’s and user’s sensitive or personal information\n- Asset or Platform security\n- Key Management systems\n- New / Beta features\n\n## Response Targets\nMagic will make a best effort to meet the following response targets for researchers participating in our program:\n\n- Time to first response (from report submit) - 5 business days\n-  Time to triage (from first response) - 3 business days\n- Time to remediate - Dependent on severity and complexity\n-  Time to bounty (from triage) - 10 business days\n\nWe will try to keep you informed about our progress throughout the process.\n\n# Program Policy\nComplying with the Bug Bounty Program policy requires researchers to adhere to our requirements detailed below.\n\n###Reporting Requirements\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n###Disclosure Requirements\n\n- As part of the Magic Bug Bounty Program, researchers may not discuss, share or disclose the program or any vulnerabilities (even resolved ones) outside of the platform without express consent from the organization.\n- Researchers may not profit from any discovered vulnerabilities or report vulnerabilities with conditions, demands or ransom threats.\n- For additional guidelines on Disclosure,  follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n- For testing Magic, follow the Magic  [Developer Terms \u0026 Conditions](https://magic.link/legal/developer-terms)\n- For testing Magic, follow the Magic [Developer API \u0026 SDK License Agreement](https://magic.link/legal/developer-license-agreement)\n- For testing Fortmatic, follow the Fortmatic [Developer Terms \u0026 Conditions](https://www.fortmatic.com/legal/developer-terms-conditions)\n- For testing Fortmatic, follow the Fortmatic [Developer API \u0026 SDK License Agreement](https://www.fortmatic.com/legal/developer-license-agreement)\n\n###Research Requirements\n\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n- Do not perform testing on Out of Scope assets or vulnerabilities. Reports for out of scope assets or vulnerabilities will be closed as N/A.\nSocial engineering (e.g. phishing, vishing, smishing) is prohibited.\n\nFailure to comply with the Bug Bounty Program or any of the requirements or policies leads to automatic ineligibility for payouts.\n\n##In Scope Vulnerabilities\n\nFor this bug bounty program, all software vulnerabilities are considered in scope unless specified below. Please refer to the [structured scopes section](https://hackerone.com/magic-bbp/policy_scopes) to find our in-scope assets. \n\n##Out of Scope Vulnerabilities\n\n- Attacks resolved by rate limiting\n- Hijacking developer API public keys\n- Domain spoofing\n- DDoS on our systems as well as our providers systems (i.e SMS provider)\n- Race conditions are out of scope unless they result in:\n  - Unauthorized transfer or theft of user funds/crypto assets\n  - Exposure of private keys, credentials, or other sensitive data\n- Social engineering\n- Physical security\n- Previously known vulnerable libraries without a working Proof of Concept\n- Non-security-impacting UX issues\n- Man-in-the-Middle attacks\n- Ability to abuse any existing blockchain functionality\n- Features/links that lead to or are provided by external providers i.e our Typeform integrations, docs.fortmatic.com?ref=h1, etc.\n\n##Out of Scope Assets\n- Please refer to the [structured scopes section](https://hackerone.com/magic-bbp/policy_scopes).\n- Any other subdomain that is not listed in the [structured scopes section](https://hackerone.com/magic-bbp/policy_scopes) will be considered out of scope\n\n#How To Get Started\nResearchers will require the following to be able to conduct research:\n\n###Create Your Test Account\n\nThe best way to get started with the program is to navigate to our [Magic developer dashboard](https://dashboard.magic.link/signup) or [Fortmatic developer dashboard](https://dashboard.fortmatic.com/login) and sign-up for a developer account. This will give you access to API keys which can be used to access our assets as well as a comprehensive set of docs to get started. Furthermore, as the dashboard is an in-scope asset, you may just find inspiration for a vulnerability while signing up and familiarizing yourself with its features.\n\n###Create Your dApp\nPlease visit our [Magic documentation](https://magic.link/docs/home/welcome) or [Fortmatic documentation](https://docs.fortmatic.com/) to get you set up with our products (you'll be up and running in \u003c5 minutes).\n\n# Safe Harbor\nTo encourage responsible disclosures, we will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider security research and vulnerability disclosure activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA and applicable anti-hacking laws such as Cal. Penal Code 502(c). We waive any DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\nIf legal action is initiated by a third party against you and you have complied with this bug bounty policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\nYou are expected, as always, to comply with all applicable laws.\nPlease submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThis document contains material from the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) project, which can be found on [github](https://github.com/EdOverflow/legal-bug-bounty).\n\n# Privacy Policy\n\nThe collection of information in Magic's product is bound by the terms described in our [Privacy Policy](https://magic.link/legal/privacy-policy)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-07-25T16:51:28.362Z"},{"id":3751097,"new_policy":"# Magic Bug Bounty Program\n\n###Magic\n\nMagic is a developer SDK that empowers applications with passwordless authentication using magic links, WebAuthn, OAuth, and other authentication tools.\n\nMagic also builds a robust and distributed key management solution that supports this authentication infrastructure.\n\nWhen users want to sign up or log in to an application, the typical flow is:\n\n- User enters email address\n- User receives an email with a call to action (OTP code, magic link or additional methods)\n- User verifies email address by responding to the call to action\n- User is logged into the application\n\n\n### Fortmatic\n\nMagic also supports and builds [Fortmatic](https://fortmatic.com), a cryptocurrency wallet integrated with many leading blockchain companies around the world.\n\n# Goals\n\nAs part of Magic's [mission](https://magic.link/docs/introduction/security) and [security overview](https://magic.link/docs/introduction/security), we want to improve the developer experience of authentication, while keeping security top of mind for all developers. We recognize the importance of maintaining security in our services in order to keep our users safe.\n\nWith this bounty program, we encourage researchers to discover security vulnerabilities in our systems. These can cover almost any aspect of the product, from SDKs, APIs, public-facing codebases, user interfaces, developer dashboards, and more.\n\nBoth [Magic](https://magic.link) and [Fortmatic](https://fortmatic.com)'s products and services are under scope for testing.\n\nWe’d like to highlight the following focus areas for this Bug Bounty Program:\n\n- Developer’s and user’s sensitive or personal information\n- Asset or Platform security\n- Key Management systems\n- New / Beta features\n\n## Response Targets\nMagic will make a best effort to meet the following response targets for researchers participating in our program:\n\n- Time to first response (from report submit) - 5 business days\n-  Time to triage (from first response) - 3 business days\n- Time to remediate - Dependent on severity and complexity\n-  Time to bounty (from triage) - 10 business days\n\nWe will try to keep you informed about our progress throughout the process.\n\n# Program Policy\nComplying with the Bug Bounty Program policy requires researchers to adhere to our requirements detailed below.\n\n###Reporting Requirements\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n###Disclosure Requirements\n\n- As part of the Magic Bug Bounty Program, researchers may not discuss, share or disclose the program or any vulnerabilities (even resolved ones) outside of the platform without express consent from the organization.\n- Researchers may not profit from any discovered vulnerabilities or report vulnerabilities with conditions, demands or ransom threats.\n- For additional guidelines on Disclosure,  follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n- For testing Magic, follow the Magic  [Developer Terms \u0026 Conditions](https://magic.link/legal/developer-terms)\n- For testing Magic, follow the Magic [Developer API \u0026 SDK License Agreement](https://magic.link/legal/developer-license-agreement)\n- For testing Fortmatic, follow the Fortmatic [Developer Terms \u0026 Conditions](https://www.fortmatic.com/legal/developer-terms-conditions)\n- For testing Fortmatic, follow the Fortmatic [Developer API \u0026 SDK License Agreement](https://www.fortmatic.com/legal/developer-license-agreement)\n\n###Research Requirements\n\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n- Do not perform testing on Out of Scope assets or vulnerabilities. Reports for out of scope assets or vulnerabilities will be closed as N/A.\nSocial engineering (e.g. phishing, vishing, smishing) is prohibited.\n\nFailure to comply with the Bug Bounty Program or any of the requirements or policies leads to automatic ineligibility for payouts.\n\n##In Scope Vulnerabilities\n\nFor this bug bounty program, all software vulnerabilities are considered in scope unless specified below. Please refer to the [structured scopes section](https://hackerone.com/magic-bbp/policy_scopes) to find our in-scope assets. \n\n##Out of Scope Vulnerabilities\n\n- Attacks resolved by rate limiting\n- Hijacking developer API public keys\n- Domain spoofing\n- DDoS on our systems as well as our providers systems (i.e SMS provider)\n- Social engineering\n- Physical security\n- Previously known vulnerable libraries without a working Proof of Concept\n- Non-security-impacting UX issues\n- Man-in-the-Middle attacks\n- Ability to abuse any existing blockchain functionality\n- Features/links that lead to or are provided by external providers i.e our Typeform integrations, docs.fortmatic.com?ref=h1, etc.\n\n##Out of Scope Assets\n\n- Please refer to the [structured scopes section](https://hackerone.com/magic-bbp/policy_scopes).\n- Any other subdomain that is not listed in the [structured scopes section](https://hackerone.com/magic-bbp/policy_scopes) will be considered out of scope\n\n#How To Get Started\nResearchers will require the following to be able to conduct research:\n\n###Create Your Test Account\n\nThe best way to get started with the program is to navigate to our [Magic developer dashboard](https://dashboard.magic.link/signup) or [Fortmatic developer dashboard](https://dashboard.fortmatic.com/login) and sign-up for a developer account. This will give you access to API keys which can be used to access our assets as well as a comprehensive set of docs to get started. Furthermore, as the dashboard is an in-scope asset, you may just find inspiration for a vulnerability while signing up and familiarizing yourself with its features.\n\n###Create Your dApp\nPlease visit our [Magic documentation](https://magic.link/docs/home/welcome) or [Fortmatic documentation](https://docs.fortmatic.com/) to get you set up with our products (you'll be up and running in \u003c5 minutes).\n\n# Safe Harbor\nTo encourage responsible disclosures, we will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider security research and vulnerability disclosure activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA and applicable anti-hacking laws such as Cal. Penal Code 502(c). We waive any DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\nIf legal action is initiated by a third party against you and you have complied with this bug bounty policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\nYou are expected, as always, to comply with all applicable laws.\nPlease submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThis document contains material from the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) project, which can be found on [github](https://github.com/EdOverflow/legal-bug-bounty).\n\n# Privacy Policy\n\nThe collection of information in Magic's product is bound by the terms described in our [Privacy Policy](https://magic.link/legal/privacy-policy)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-03-01T00:11:52.489Z"},{"id":3697834,"new_policy":"# Magic Bug Bounty Program\n\n###Magic\n\nMagic is a developer SDK that empowers applications with passwordless authentication using magic links, WebAuthn, OAuth, and other authentication tools.\n\nMagic also builds a robust and distributed key management solution that supports this authentication infrastructure.\n\nWhen users want to sign up or log in to an application, the typical flow is:\n\n- User enters email address\n- User receives an email with a call to action (OTP code, magic link or additional methods)\n- User verifies email address by responding to the call to action\n- User is logged into the application\n\n\n### Fortmatic\n\nMagic also supports and builds [Fortmatic](https://fortmatic.com), a cryptocurrency wallet integrated with many leading blockchain companies around the world.\n\n# Goals\n\nAs part of Magic's [mission](https://magic.link/docs/introduction/security) and [security overview](https://magic.link/docs/introduction/security), we want to improve the developer experience of authentication, while keeping security top of mind for all developers. We recognize the importance of maintaining security in our services in order to keep our users safe.\n\nWith this bounty program, we encourage researchers to discover security vulnerabilities in our systems. These can cover almost any aspect of the product, from SDKs, APIs, public-facing codebases, user interfaces, developer dashboards, and more.\n\nBoth [Magic](https://magic.link) and [Fortmatic](https://fortmatic.com)'s products and services are under scope for testing.\n\nWe’d like to highlight the following focus areas for this Bug Bounty Program:\n\n- Developer’s and user’s sensitive or personal information\n- Asset or Platform security\n- Key Management systems\n- New / Beta features\n\n## Response Targets\nMagic will make a best effort to meet the following response targets for researchers participating in our program:\n\n- Time to first response (from report submit) - 3 business days\n-  Time to triage (from first response) - 2 business days\n- Time to remediate - Dependent on severity and complexity\n-  Time to bounty (from triage) - 10 business days\n\nWe will try to keep you informed about our progress throughout the process.\n\n# Program Policy\nComplying with the Bug Bounty Program policy requires researchers to adhere to our requirements detailed below.\n\n###Reporting Requirements\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n###Disclosure Requirements\n\n- As part of the Magic Bug Bounty Program, researchers may not discuss, share or disclose the program or any vulnerabilities (even resolved ones) outside of the platform without express consent from the organization.\n- Researchers may not profit from any discovered vulnerabilities or report vulnerabilities with conditions, demands or ransom threats.\n- In an effort to ensure comprehensive remediation of vulnerabilities, any report eligible for a bounty must adhere to a standard 90-day disclosure window. Discussions regarding disclosure can be initiated after this period. Similarly, bounties related to reports seeking disclosure may be subject to this 90-day timeframe\n- For additional guidelines on Disclosure,  follow [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n- For testing Magic, follow the Magic  [Developer Terms \u0026 Conditions](https://magic.link/legal/developer-terms)\n- For testing Magic, follow the Magic [Developer API \u0026 SDK License Agreement](https://magic.link/legal/developer-license-agreement)\n- For testing Fortmatic, follow the Fortmatic [Developer Terms \u0026 Conditions](https://www.fortmatic.com/legal/developer-terms-conditions)\n- For testing Fortmatic, follow the Fortmatic [Developer API \u0026 SDK License Agreement](https://www.fortmatic.com/legal/developer-license-agreement)\n\n###Research Requirements\n\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n- Do not perform testing on Out of Scope assets or vulnerabilities. Reports for out of scope assets or vulnerabilities will be closed as N/A.\nSocial engineering (e.g. phishing, vishing, smishing) is prohibited.\n\nFailure to comply with the Bug Bounty Program or any of the requirements or policies leads to automatic ineligibility for payouts.\n\n##In Scope Vulnerabilities\n\nFor this bug bounty program, all software vulnerabilities are considered in scope unless specified below. Please refer to the [structured scopes section](https://hackerone.com/magic-bbp/policy_scopes) to find our in-scope assets. \n\n##Out of Scope Vulnerabilities\n\n- Attacks resolved by rate limiting\n- Hijacking developer API public keys\n- Domain spoofing\n- DDoS on our systems as well as our providers systems (i.e SMS provider)\n- Social engineering\n- Physical security\n- Previously known vulnerable libraries without a working Proof of Concept\n- Non-security-impacting UX issues\n- Man-in-the-Middle attacks\n- Ability to abuse any existing blockchain functionality\n- Features/links that lead to or are provided by external providers i.e our Typeform integrations, docs.fortmatic.com?ref=h1, etc.\n\n##Out of Scope Assets\n\n- Please refer to the [structured scopes section](https://hackerone.com/magic-bbp/policy_scopes).\n- Any other subdomain that is not listed in the [structured scopes section](https://hackerone.com/magic-bbp/policy_scopes) will be considered out of scope\n\n#How To Get Started\nResearchers will require the following to be able to conduct research:\n\n###Create Your Test Account\n\nThe best way to get started with the program is to navigate to our [Magic developer dashboard](https://dashboard.magic.link/signup) or [Fortmatic developer dashboard](https://dashboard.fortmatic.com/login) and sign-up for a developer account. This will give you access to API keys which can be used to access our assets as well as a comprehensive set of docs to get started. Furthermore, as the dashboard is an in-scope asset, you may just find inspiration for a vulnerability while signing up and familiarizing yourself with its features.\n\n###Create Your dApp\nPlease visit our [Magic documentation](https://magic.link/docs/home/welcome) or [Fortmatic documentation](https://docs.fortmatic.com/) to get you set up with our products (you'll be up and running in \u003c5 minutes).\n\n# Safe Harbor\nTo encourage responsible disclosures, we will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider security research and vulnerability disclosure activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA and applicable anti-hacking laws such as Cal. Penal Code 502(c). We waive any DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\nIf legal action is initiated by a third party against you and you have complied with this bug bounty policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\nYou are expected, as always, to comply with all applicable laws.\nPlease submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThis document contains material from the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) project, which can be found on [github](https://github.com/EdOverflow/legal-bug-bounty).\n\n# Privacy Policy\n\nThe collection of information in Magic's product is bound by the terms described in our [Privacy Policy](https://magic.link/legal/privacy-policy)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-07-13T19:54:49.232Z"},{"id":3661005,"new_policy":"# Magic Bug Bounty Program\n\n### Magic\n\nMagic is a developer SDK that empowers applications with passwordless authentication using magic links, WebAuthn, OAuth, and other authentication tools.\n\nMagic also builds a robust and distributed key management solution that supports this authentication infrastructure. \n\nWhen users want to sign up or log in to application, the typical flow is:\n\n- User requests a magic link sent to their email address\n- User clicks on that magic link\n- User is securely logged into the application\n- If it's a web application, users are logged into the original tab, even if the user clicked on the magic link on a different browser or mobile device!\n\n### Fortmatic\n\nMagic also supports and builds [Fortmatic](https://fortmatic.com), a cryptocurrency wallet integrated with many leading blockchain companies around the world.\n\n## Goals\n\nAs part of Magic's [mission](https://magic.link/docs/introduction/security) and [security overview](https://magic.link/docs/introduction/security),\nwe want to improve the developer experience of authentication, while keeping safety and security top of mind for all developers. We recognize the importance of maintaining security in our services in order to keep our users safe.\n\nWith this bounty program, we encourage researchers to discover security flaws in our systems. These can cover almost any aspects of the product, from SDKs, APIs, public-facing codebases, user interfaces, developer dashboards, and more.\n\nBoth [Magic](https://magic.link) and [Fortmatic](https://fortmatic.com)'s products are under scope for testing.\n\nWe’d like to highlight the following highest priority assets as a focal point for this Bug Bounty Program:**\n\n* Developers and users sensitive information\n* Asset security\n* Key Management systems\n* New / Beta features\n\n## Program Policy\nComplying with the Bug Bounty Program policy requires researchers to adhere to our “Disclosure Policy” section below.\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n* **Please DO NOT perform testing on OUT OF SCOPE assets. Reports for out of scope assets will be closed as N/A, resulting in negative reputation gain.** \n\n## Test Account Creation\nThe best way to get started with the program is to navigate to our [developer dashboard](https://dashboard.magic.link/signup) and sign-up for a developer account. This will give you access to API keys which can be used to access our assets as well as a comprehensive set of docs to get started. Futhermore, as the dashboard is an in-scope asset, you may just find inspiration for an exploit while signing up and familiarizing yourself with it's features.\n\n## Response Targets\nFortmatic Inc. will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 14 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* For testing Magic, follow the [Developer Terms \u0026 Conditions](https://magic.link/legal/developer-terms)\n* For testing Magic, follow the [Developer API \u0026 SDK License Agreement](https://magic.link/legal/developer-license-agreement)\n* For testing Fortmatic, follow the [Developer Terms \u0026 Conditions](https://www.fortmatic.com/legal/developer-terms-conditions)\n* For testing Fortmatic, follow the [Developer API \u0026 SDK License Agreement](https://www.fortmatic.com/legal/developer-license-agreement)\n\nIn addition, we ask that the following policies be adhered to as well:\n- Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts.\n- Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\n## In scope vulnerabilities\nIn this bounty program, all software vulnerabilities in services provided are considered in scope. Please visit our [documentation](https://magic.link/docs/home) to get you set up with our products (you'll be up and running in \u003c5 minutes). You will be testing with the API test keys that we provide, when you interact with our product for the first time there will be 1 test ETH seeded into your wallet, this should allow you plenty of opportunities to interact with our modal and attempt to discover vulnerabilities.\n\nPlease refer to the structured scopes section below to find our in-scope assets.\n**We will put more emphasis on the following security vulnerabilities:**\n\n* Log in as a user without their confirmation\n* Modify user sensitive data\n* Unauthorized user digital assets transfer\n\n## Known Vulnerabilities\n* Rate limiting is not in place on all areas that could benefit, and so attacks that would be deterred by rate limiting are out of scope.\n\n## Out of scope vulnerabilities\nAll vulnerabilities that require or are related to the following are out of scope:\n\n* Hijacking developer API public keys\n* Domain spoofing\n* DDoS on our systems as well as our providers systems (i.e SMS provider)\n* Social engineering\n* Physical security\n* Previously known vulnerable libraries without a working Proof of Concept\n* Non-security-impacting UX issues\n* Man-in-the-Middle attacks\n* Ability to abuse any existing blockchain functionality\n* Features/links that lead to or are provided by external providers i.e our Typeform integrations, [developer docs](docs.fortmatic.com?ref=h1), etc.\n\n## Additionally, out of scope\n* **Our API endpoints (api.fortmatic.com and api.magic.link) are out of scope for DDoS (any activity that could lead to the disruption of our service)**\n* **Any other subdomain that is not listed in the structured scopes section below**\n\n## Safe Harbor\nTo encourage responsible disclosures, we will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider security research and vulnerability disclosure activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA and applicable anti-hacking laws such as Cal. Penal Code 502(c). We waive any DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\nIf legal action is initiated by a third party against you and you have complied with this bug bounty policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\nYou are expected, as always, to comply with all applicable laws.\nPlease submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThis document contains material from the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) project, which can be found on [github](https://github.com/EdOverflow/legal-bug-bounty).\n\n## Privacy Policy\n\nThe collection of information in Magic's product is bound by the terms described in our [Privacy Policy](https://magic.link/legal/privacy-policy)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-11-02T21:16:39.236Z"},{"id":3660102,"new_policy":"# Magic Bug Bounty Program\n\n### Magic\n\nMagic is a developer SDK that you can integrate into your application to enable passwordless authentication using magic links, WebAuthn, OAuth, and other authentication tools.\n\nMagic also builds a robust and distributed key management solution that supports this authentication infrastructure. \n\nWhen users want to sign up or log in to application, the typical flow is:\n\n- User requests a magic link sent to their email address\n- User clicks on that magic link\n- User is securely logged into the application\n- If it's a web application, users are logged into the original tab, even if the user clicked on the magic link on a different browser or mobile device!\n\n### Fortmatic\n\nMagic also supports and builds [Fortmatic](https://fortmatic.com), a cryptocurrency wallet integrated with many leading blockchain companies around the world.\n\n## Goals\n\nAs part of Magic's [mission](https://magic.link/docs/introduction/security) and [security overview](https://magic.link/docs/introduction/security),\nwe want to improve the developer experience of authentication, while keeping safety and security top of mind for all developers. We recognize the importance of maintaining security in our services in order to keep our users safe.\n\nWith this bounty program, we encourage researchers to discover security flaws in our systems. These can cover almost any aspects of the product, from SDKs, APIs, public-facing codebases, user interfaces, developer dashboards, and more.\n\nBoth [Magic](https://magic.link) and [Fortmatic](https://fortmatic.com)'s products are under scope for testing.\n\nWe’d like to highlight the following highest priority assets as a focal point for this Bug Bounty Program:**\n\n* Developers and users sensitive information\n* Asset security\n* Key Management systems\n* New / Beta features\n\n## Program Policy\nComplying with the Bug Bounty Program policy requires researchers to adhere to our “Disclosure Policy” section below.\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n* **Please DO NOT perform testing on OUT OF SCOPE assets. Reports for out of scope assets will be closed as N/A, resulting in negative reputation gain.** \n\n## Test Account Creation\nThe best way to get started with the program is to navigate to our [developer dashboard](https://dashboard.magic.link/signup) and sign-up for a developer account. This will give you access to API keys which can be used to access our assets as well as a comprehensive set of docs to get started. Futhermore, as the dashboard is an in-scope asset, you may just find inspiration for an exploit while signing up and familiarizing yourself with it's features.\n\n## Response Targets\nFortmatic Inc. will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 14 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* For testing Magic, follow the [Developer Terms \u0026 Conditions](https://magic.link/legal/developer-terms)\n* For testing Magic, follow the [Developer API \u0026 SDK License Agreement](https://magic.link/legal/developer-license-agreement)\n* For testing Fortmatic, follow the [Developer Terms \u0026 Conditions](https://www.fortmatic.com/legal/developer-terms-conditions)\n* For testing Fortmatic, follow the [Developer API \u0026 SDK License Agreement](https://www.fortmatic.com/legal/developer-license-agreement)\n\nIn addition, we ask that the following policies be adhered to as well:\n- Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts.\n- Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\n## In scope vulnerabilities\nIn this bounty program, all software vulnerabilities in services provided are considered in scope. Please visit our [documentation](https://magic.link/docs/home) to get you set up with our products (you'll be up and running in \u003c5 minutes). You will be testing with the API test keys that we provide, when you interact with our product for the first time there will be 1 test ETH seeded into your wallet, this should allow you plenty of opportunities to interact with our modal and attempt to discover vulnerabilities.\n\nPlease refer to the structured scopes section below to find our in-scope assets.\n**We will put more emphasis on the following security vulnerabilities:**\n\n* Log in as a user without their confirmation\n* Modify user sensitive data\n* Unauthorized user digital assets transfer\n\n## Known Vulnerabilities\n* Rate limiting is not in place on all areas that could benefit, and so attacks that would be deterred by rate limiting are out of scope.\n\n## Out of scope vulnerabilities\nAll vulnerabilities that require or are related to the following are out of scope:\n\n* Hijacking developer API public keys\n* Domain spoofing\n* DDoS on our systems as well as our providers systems (i.e SMS provider)\n* Social engineering\n* Physical security\n* Previously known vulnerable libraries without a working Proof of Concept\n* Non-security-impacting UX issues\n* Man-in-the-Middle attacks\n* Ability to abuse any existing blockchain functionality\n* Features/links that lead to or are provided by external providers i.e our Typeform integrations, [developer docs](docs.fortmatic.com?ref=h1), etc.\n\n## Additionally, out of scope\n* **Our API endpoints (api.fortmatic.com and api.magic.link) are out of scope for DDoS (any activity that could lead to the disruption of our service)**\n* **Any other subdomain that is not listed in the structured scopes section below**\n\n## Safe Harbor\nTo encourage responsible disclosures, we will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider security research and vulnerability disclosure activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA and applicable anti-hacking laws such as Cal. Penal Code 502(c). We waive any DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\nIf legal action is initiated by a third party against you and you have complied with this bug bounty policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\nYou are expected, as always, to comply with all applicable laws.\nPlease submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThis document contains material from the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) project, which can be found on [github](https://github.com/EdOverflow/legal-bug-bounty).\n\n## Privacy Policy\n\nThe collection of information in Magic's product is bound by the terms described in our [Privacy Policy](https://magic.link/legal/privacy-policy)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-10-15T21:01:51.647Z"},{"id":3660101,"new_policy":"# Magic Bug Bounty Program\n\n### Magic\n\nMagic is a developer SDK that you can integrate into your application to enable passwordless authentication using magic links, WebAuthn, OAuth, and other authentication tools.\n\nMagic also builds a robust and distributed key management solution that supports this authentication infrastructure. \n\nWhen users want to sign up or log in to application, the typical flow is:\n\n- User requests a magic link sent to their email address\n- User clicks on that magic link\n- User is securely logged into the application\n- If it's a web application, users are logged into the original tab, even if the user clicked on the magic link on a different browser or mobile device!\n\n### Fortmatic\n\nMagic also supports and builds [Fortmatic](https://fortmatic.com), a cryptocurrency wallet integrated with many leading blockchain companies around the world.\n\n## Goals\n\nAs part of Magic's [mission](https://magic.link/docs/introduction/security) and [security overview](https://magic.link/docs/introduction/security),\nwe want to improve the developer experience of authentication, while keeping safety and security top of mind for all developers. We recognize the importance of maintaining security in our services in order to keep our users safe.\n\nWith this bounty program, we encourage researchers to discover security flaws in our systems. These can cover almost any aspects of the product, from SDKs, APIs, public-facing codebases, user interfaces, developer dashboards, and more.\n\nBoth [Magic](https://magic.link) and [Fortmatic](https://fortmatic.com)'s products are under scope for testing.\n\nWe’d like to highlight the following highest priority assets as a focal point for this Bug Bounty Program:**\n\n* Developers and users sensitive information\n* Asset security\n* Key Management systems\n* New / Beta features\n\n## Program Policy\nComplying with the Bug Bounty Program policy requires researchers to adhere to our “Disclosure Policy” section below.\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n* **Please DO NOT perform testing on OUT OF SCOPE assets. Reports for out of scope assets will be closed as N/A, resulting in negative reputation gain.** \n\n## Test Account Creation\nThe best way to get started with the program is to navigate to our [developer dashboard](https://dashboard.magic.link/signup) and sign-up for a developer account. This will give you access to API keys which can be used to access our assets as well as a comprehensive set of docs to get started. Futhermore, as the dashboard is an in-scope asset, you may just find inspiration for an exploit while signing up and familiarizing yourself with it's features.\n\n## Response Targets\nFortmatic Inc. will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 14 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* For testing Magic, follow the [Developer Terms \u0026 Conditions](https://magic.link/legal/developer-privacy)\n* For testing Magic, follow the [Developer API \u0026 SDK License Agreement](https://magic.link/legal/developer-license-agreement)\n* For testing Fortmatic, follow the [Developer Terms \u0026 Conditions](https://www.fortmatic.com/legal/developer-terms-conditions)\n* For testing Fortmatic, follow the [Developer API \u0026 SDK License Agreement](https://www.fortmatic.com/legal/developer-license-agreement)\n\nIn addition, we ask that the following policies be adhered to as well:\n- Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts.\n- Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\n## In scope vulnerabilities\nIn this bounty program, all software vulnerabilities in services provided are considered in scope. Please visit our [documentation](https://magic.link/docs/home) to get you set up with our products (you'll be up and running in \u003c5 minutes). You will be testing with the API test keys that we provide, when you interact with our product for the first time there will be 1 test ETH seeded into your wallet, this should allow you plenty of opportunities to interact with our modal and attempt to discover vulnerabilities.\n\nPlease refer to the structured scopes section below to find our in-scope assets.\n**We will put more emphasis on the following security vulnerabilities:**\n\n* Log in as a user without their confirmation\n* Modify user sensitive data\n* Unauthorized user digital assets transfer\n\n## Known Vulnerabilities\n* Rate limiting is not in place on all areas that could benefit, and so attacks that would be deterred by rate limiting are out of scope.\n\n## Out of scope vulnerabilities\nAll vulnerabilities that require or are related to the following are out of scope:\n\n* Hijacking developer API public keys\n* Domain spoofing\n* DDoS on our systems as well as our providers systems (i.e SMS provider)\n* Social engineering\n* Physical security\n* Previously known vulnerable libraries without a working Proof of Concept\n* Non-security-impacting UX issues\n* Man-in-the-Middle attacks\n* Ability to abuse any existing blockchain functionality\n* Features/links that lead to or are provided by external providers i.e our Typeform integrations, [developer docs](docs.fortmatic.com?ref=h1), etc.\n\n## Additionally, out of scope\n* **Our API endpoints (api.fortmatic.com and api.magic.link) are out of scope for DDoS (any activity that could lead to the disruption of our service)**\n* **Any other subdomain that is not listed in the structured scopes section below**\n\n## Safe Harbor\nTo encourage responsible disclosures, we will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider security research and vulnerability disclosure activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA and applicable anti-hacking laws such as Cal. Penal Code 502(c). We waive any DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\nIf legal action is initiated by a third party against you and you have complied with this bug bounty policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\nYou are expected, as always, to comply with all applicable laws.\nPlease submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThis document contains material from the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) project, which can be found on [github](https://github.com/EdOverflow/legal-bug-bounty).\n\n## Privacy Policy\n\nThe collection of information in Magic's product is bound by the terms described in our [Privacy Policy](https://magic.link/legal/privacy-policy)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-10-15T20:55:27.621Z"},{"id":3660100,"new_policy":"# Magic Bug Bounty Program\n\n### Magic\n\nMagic is a developer SDK that you can integrate into your application to enable passwordless authentication using magic links, WebAuthn, OAuth, and other authentication tools.\n\nMagic also builds a robust and distributed key management solution that supports this authentication infrastructure. \n\nWhen users want to sign up or log in to application, the typical flow is:\n\n- User requests a magic link sent to their email address\n- User clicks on that magic link\n- User is securely logged into the application\n- If it's a web application, users are logged into the original tab, even if the user clicked on the magic link on a different browser or mobile device!\n\n### Fortmatic\n\nMagic also supports and builds [Fortmatic](https://fortmatic.com), a cryptocurrency wallet integrated with many leading blockchain companies around the world.\n\n## Goals\n\nAs part of Magic's [mission](https://magic.link/docs/introduction/security) and [security overview](https://magic.link/docs/introduction/security),\nwe want to improve the developer experience of authentication, while keeping safety and security top of mind for all developers. We recognize the importance of maintaining security in our services in order to keep our users safe.\n\nWith this bounty program, we encourage researchers to discover security flaws in our systems. These can cover almost any aspects of the product, from SDKs, APIs, public-facing codebases, user interfaces, developer dashboards, and more.\n\nBoth [Magic](https://magic.link) and [Fortmatic](https://fortmatic.com)'s products are under scope for testing.\n\nWe’d like to highlight the following highest priority assets as a focal point for this Bug Bounty Program:**\n\n* Developers and users sensitive information\n* Asset security\n* Key Management systems\n* New / Beta features\n\n## Program Policy\nComplying with the Bug Bounty Program policy requires researchers to adhere to our “Disclosure Policy” section below.\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n* **Please DO NOT perform testing on OUT OF SCOPE assets. Reports for out of scope assets will be closed as N/A, resulting in negative reputation gain.** \n\n## Test Account Creation\nThe best way to get started with the program is to navigate to our [developer dashboard](https://dashboard.magic.link/signup) and sign-up for a developer account. This will give you access to API keys which can be used to access our assets as well as a comprehensive set of docs to get started. Futhermore, as the dashboard is an in-scope asset, you may just find inspiration for an exploit while signing up and familiarizing yourself with it's features.\n\n## Response Targets\nFortmatic Inc. will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 14 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* For testing Magic, follow the [Developer Terms \u0026 Conditions](https://magic.link/legal/developer-terms)\n* For testing Magic, follow the [Developer API \u0026 SDK License Agreement](https://magic.link/legal/developer-license-agreement)\n* For testing Fortmatic, follow the [Developer Terms \u0026 Conditions](https://www.fortmatic.com/legal/developer-terms-conditions)\n* For testing Fortmatic, follow the [Developer API \u0026 SDK License Agreement](https://www.fortmatic.com/legal/developer-license-agreement)\n\nIn addition, we ask that the following policies be adhered to as well:\n- Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts.\n- Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\n## In scope vulnerabilities\nIn this bounty program, all software vulnerabilities in services provided are considered in scope. Please visit our [documentation](https://magic.link/docs/home) to get you set up with our products (you'll be up and running in \u003c5 minutes). You will be testing with the API test keys that we provide, when you interact with our product for the first time there will be 1 test ETH seeded into your wallet, this should allow you plenty of opportunities to interact with our modal and attempt to discover vulnerabilities.\n\nPlease refer to the structured scopes section below to find our in-scope assets.\n**We will put more emphasis on the following security vulnerabilities:**\n\n* Log in as a user without their confirmation\n* Modify user sensitive data\n* Unauthorized user digital assets transfer\n\n## Known Vulnerabilities\n* Rate limiting is not in place on all areas that could benefit, and so attacks that would be deterred by rate limiting are out of scope.\n\n## Out of scope vulnerabilities\nAll vulnerabilities that require or are related to the following are out of scope:\n\n* Hijacking developer API public keys\n* Domain spoofing\n* DDoS on our systems as well as our providers systems (i.e SMS provider)\n* Social engineering\n* Physical security\n* Previously known vulnerable libraries without a working Proof of Concept\n* Non-security-impacting UX issues\n* Man-in-the-Middle attacks\n* Ability to abuse any existing blockchain functionality\n* Features/links that lead to or are provided by external providers i.e our Typeform integrations, [developer docs](docs.fortmatic.com?ref=h1), etc.\n\n## Additionally, out of scope\n* **Our API endpoints (api.fortmatic.com and api.magic.link) are out of scope for DDoS (any activity that could lead to the disruption of our service)**\n* **Any other subdomain that is not listed in the structured scopes section below**\n\n## Safe Harbor\nTo encourage responsible disclosures, we will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider security research and vulnerability disclosure activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA and applicable anti-hacking laws such as Cal. Penal Code 502(c). We waive any DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\nIf legal action is initiated by a third party against you and you have complied with this bug bounty policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\nYou are expected, as always, to comply with all applicable laws.\nPlease submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThis document contains material from the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) project, which can be found on [github](https://github.com/EdOverflow/legal-bug-bounty).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-10-15T20:53:33.480Z"},{"id":3659647,"new_policy":"# Magic Bug Bounty Program\n\n### Magic\n\nMagic is a developer SDK that you can integrate into your application to enable passwordless authentication using magic links, WebAuthn, OAuth, and other authentication tools.\n\nMagic also builds a robust and distributed key management solution that supports this authentication infrastructure. \n\nWhen users want to sign up or log in to application, the typical flow is:\n\n- User requests a magic link sent to their email address\n- User clicks on that magic link\n- User is securely logged into the application\n- If it's a web application, users are logged into the original tab, even if the user clicked on the magic link on a different browser or mobile device!\n\n### Fortmatic\n\nMagic also supports and builds [Fortmatic](https://fortmatic.com), a cryptocurrency wallet integrated with many leading blockchain companies around the world.\n\n## Goals\n\nAs part of Magic's [mission](https://magic.link/docs/introduction/security) and [security overview](https://magic.link/docs/introduction/security),\nwe want to improve the developer experience of authentication, while keeping safety and security top of mind for all developers. We recognize the importance of maintaining security in our services in order to keep our users safe.\n\nWith this bounty program, we encourage researchers to discover security flaws in our systems. These can cover almost any aspects of the product, from SDKs, APIs, public-facing codebases, user interfaces, developer dashboards, and more.\n\nBoth [Magic](https://magic.link) and [Fortmatic](https://fortmatic.com)'s products are under scope for testing.\n\nWe’d like to highlight the following highest priority assets as a focal point for this Bug Bounty Program:**\n\n* Developers and users sensitive information\n* Asset security\n* Key Management systems\n* New / Beta features\n\n## Program Policy\nComplying with the Bug Bounty Program policy requires researchers to adhere to our “Disclosure Policy” section below.\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n* **Please DO NOT perform testing on OUT OF SCOPE assets. Reports for out of scope assets will be closed as N/A, resulting in negative reputation gain.** \n\n## Test Account Creation\nThe best way to get started with the program is to navigate to our [developer dashboard](https://dashboard.magic.link/signup) and sign-up for a developer account. This will give you access to API keys which can be used to access our assets as well as a comprehensive set of docs to get started. Futhermore, as the dashboard is an in-scope asset, you may just find inspiration for an exploit while signing up and familiarizing yourself with it's features.\n\n## Response Targets\nFortmatic Inc. will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 14 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* For testing Magic, follow the [Developer Terms \u0026 Conditions](https://magic.link/legal/developer-privacy)\n* For testing Magic, follow the [Developer API \u0026 SDK License Agreement](https://magic.link/legal/developer-license-agreement)\n* For testing Fortmatic, follow the [Developer Terms \u0026 Conditions](https://www.fortmatic.com/legal/developer-terms-conditions)\n* For testing Fortmatic, follow the [Developer API \u0026 SDK License Agreement](https://www.fortmatic.com/legal/developer-license-agreement)\n\nIn addition, we ask that the following policies be adhered to as well:\n- Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts.\n- Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\n## In scope vulnerabilities\nIn this bounty program, all software vulnerabilities in services provided are considered in scope. Please visit our [documentation](https://magic.link/docs/home) to get you set up with our products (you'll be up and running in \u003c5 minutes). You will be testing with the API test keys that we provide, when you interact with our product for the first time there will be 1 test ETH seeded into your wallet, this should allow you plenty of opportunities to interact with our modal and attempt to discover vulnerabilities.\n\nPlease refer to the structured scopes section below to find our in-scope assets.\n**We will put more emphasis on the following security vulnerabilities:**\n\n* Log in as a user without their confirmation\n* Modify user sensitive data\n* Unauthorized user digital assets transfer\n\n## Known Vulnerabilities\n* Rate limiting is not in place on all areas that could benefit, and so attacks that would be deterred by rate limiting are out of scope.\n\n## Out of scope vulnerabilities\nAll vulnerabilities that require or are related to the following are out of scope:\n\n* Hijacking developer API public keys\n* Domain spoofing\n* DDoS on our systems as well as our providers systems (i.e SMS provider)\n* Social engineering\n* Physical security\n* Previously known vulnerable libraries without a working Proof of Concept\n* Non-security-impacting UX issues\n* Man-in-the-Middle attacks\n* Ability to abuse any existing blockchain functionality\n* Features/links that lead to or are provided by external providers i.e our Typeform integrations, [developer docs](docs.fortmatic.com?ref=h1), etc.\n\n## Additionally, out of scope\n* **Our API endpoints (api.fortmatic.com and api.magic.link) are out of scope for DDoS (any activity that could lead to the disruption of our service)**\n* **Any other subdomain that is not listed in the structured scopes section below**\n\n## Safe Harbor\nTo encourage responsible disclosures, we will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider security research and vulnerability disclosure activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA and applicable anti-hacking laws such as Cal. Penal Code 502(c). We waive any DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\nIf legal action is initiated by a third party against you and you have complied with this bug bounty policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\nYou are expected, as always, to comply with all applicable laws.\nPlease submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThis document contains material from the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) project, which can be found on [github](https://github.com/EdOverflow/legal-bug-bounty).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-10-06T21:06:55.108Z"},{"id":3639578,"new_policy":"#Fortmatic Bug Bounty Program\n\nFortmatic Inc. offers developers a Javascript SDK supported by a Python Flask API backend to seamlessly authenticate their users. The SDK is ultra-portable and works across all modern mobile/desktop browsers, and provides a seamless modal experience for users not unlike the feel of Stripe checkout with a *twist*. The twist is that Fortmatic is designed to be easily integrated with Ethereum applications. However worry not while we interact with the blockchain, your typical web security knowledge and intuition will transfer well to Fortmatic's assets -- you'll also find detailed treasure maps in our asset descriptions to help you get up to speed and hacking.\n\nAs a part of Fortmatic's [mission](https://fortmatic.com?ref=h1) we want to focus heavily on improving developer experience in blockchain development while keeping safety and security top of mind for all developers that use Fortmatic. We recognize the importance of maintaining security in our services in order to keep our users safe. With this bounty program, we encourage individual researchers to use this platform to engage with our services to discover security flaws in our systems. We hope to become the most trusted way for developers to integrate with blockchains with the support and help from the security community and researchers.\n\n**With that being said, we’d like to highlight the following highest priority assets as a focal point for this Bug Bounty Program:**\n\n* Developers and users sensitive information\n* Asset security\n\n## Program Policy\nComplying with the Bug Bounty Program policy requires researchers to adhere to our “Disclosure Policy” section below.\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n* **Please DO NOT perform testing on OUT OF SCOPE assets. Reports for out of scope assets will be closed as N/A, resulting in negative reputation gain.** \n\n## Test Account Creation\nThe best way to get started with the program is to navigate to our [developer dashboard](https://dashboard.fortmatic.com/login?ref=h1) and sign-up for a developer account. This will give you access to API keys which can be used to access our assets as well as a comprehensive set of docs to get started. Futhermore, as the dashboard is an in-scope asset, you may just find inspiration for an exploit while signing up and familiarizing yourself with it's features.\n\n## Response Targets\nFortmatic Inc. will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 14 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Follow Fortmatic’s [Developer Terms \u0026 Conditions](https://www.fortmatic.com/legal/developer-terms-conditions?ref=h1)\n* Follow Fortmatic’s [Developer API \u0026 SDK License Agreement](https://www.fortmatic.com/legal/developer-license-agreement?ref=h1)\n\nIn addition, we ask that the following policies be adhered to as well:\n- Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Fortmatic.\n- Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\n## In scope vulnerabilities\nIn this bounty program, all software vulnerabilities in services provided by Fortmatic are considered in scope. Please visit our [documentation](https://docs.fortmatic.com?ref=h1) to get you set up with our products (you'll be up and running in \u003c5 minutes). You will be testing with the API test keys that we provide, when you interact with our product for the first time there will be 1 test ETH seeded into your wallet, this should allow you plenty of opportunities to interact with our modal and attempt to discover vulnerabilities.\n\nPlease refer to the structured scopes section below to find our in-scope assets.\n**We will put more emphasis on the following security vulnerabilities:**\n\n* Modify user sensitive data\n* Unauthorized user digital assets transfer\n\n##Known Vulnerabilities\n* **Bugs involving bypass of SMS/2FA verification are known issues and will be considered duplicates**\n\n## Out of scope vulnerabilities\nAll vulnerabilities that require or are related to the following are out of scope:\n\n* Hijacking developer API public keys\n* Domain spoofing\n* DDoS on our systems as well as our providers systems (i.e SMS provider)\n* Social engineering\n* Physical security\n* Previously known vulnerable libraries without a working Proof of Concept\n* Non-security-impacting UX issues\n* Man-in-the-Middle attacks\n* Ability to abuse any existing blockchain functionality\n* Features/links that lead to or are provided by external providers i.e our Typeform integrations, [developer docs](docs.fortmatic.com?ref=h1), etc.\n\n## Additionally out of scope\n* **Our API endpoint (api.fortmatic.com/api.magic.link) is out of scope for DDoS (any activity that could lead to the disruption of our service)**\n* **Any other subdomain that is not listed in the structured scopes section below**\n\n## Safe Harbor\nTo encourage responsible disclosures, we will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider security research and vulnerability disclosure activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA and applicable anti-hacking laws such as Cal. Penal Code 502(c). We waive any DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\nIf legal action is initiated by a third party against you and you have complied with this bug bounty policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\nYou are expected, as always, to comply with all applicable laws.\nPlease submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThis document contains material from the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) project, which can be found on [github](https://github.com/EdOverflow/legal-bug-bounty).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-14T17:44:00.153Z"},{"id":3638389,"new_policy":"#Fortmatic Bug Bounty Program\n\nFortmatic Inc. offers developers a Javascript SDK supported by a Python Flask API backend to seamlessly authenticate their users. The SDK is ultra-portable and works across all modern mobile/desktop browsers, and provides a seamless modal experience for users not unlike the feel of Stripe checkout with a *twist*. The twist is that Fortmatic is designed to be easily integrated with Ethereum applications. However worry not while we interact with the blockchain, your typical web security knowledge and intuition will transfer well to Fortmatic's assets -- you'll also find detailed treasure maps in our asset descriptions to help you get up to speed and hacking.\n\nAs a part of Fortmatic's [mission](https://fortmatic.com/about) we want to focus heavily on improving developer experience in blockchain development while keeping safety and security top of mind for all developers that use Fortmatic. We recognize the importance of maintaining security in our services in order to keep our users safe. With this bounty program, we encourage individual researchers to use this platform to engage with our services to discover security flaws in our systems. We hope to become the most trusted way for developers to integrate with blockchains with the support and help from the security community and researchers.\n\n**With that being said, we’d like to highlight the following highest priority assets as a focal point for this Bug Bounty Program:**\n\n* Developers and users sensitive information\n* Asset security\n\n## Program Policy\nComplying with the Bug Bounty Program policy requires researchers to adhere to our “Disclosure Policy” section below.\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n* **Please DO NOT perform testing on OUT OF SCOPE assets. Reports for out of scope assets will be closed as N/A, resulting in negative reputation gain.** \n\n## Test Account Creation\nThe best way to get started with the program is to navigate to our [developer dashboard](https://dashboard.fortmatic.com) and sign-up for a developer account. This will give you access to API keys which can be used to access our assets as well as a comprehensive set of docs to get started. Futhermore, as the dashboard is an in-scope asset, you may just find inspiration for an exploit while signing up and familiarizing yourself with it's features.\n\n## Response Targets\nFortmatic Inc. will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 14 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Follow Fortmatic’s [Developer Terms \u0026 Conditions](https://www.fortmatic.com/legal/developer-terms-conditions)\n* Follow Fortmatic’s [Developer API \u0026 SDK License Agreement](https://www.fortmatic.com/legal/developer-license-agreement)\n\nIn addition, we ask that the following policies be adhered to as well:\n- Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Fortmatic.\n- Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\n## In scope vulnerabilities\nIn this bounty program, all software vulnerabilities in services provided by Fortmatic are considered in scope. Please visit our [documentation](https://docs.fortmatic.com/) to get you set up with our products (you'll be up and running in \u003c5 minutes). You will be testing with the API test keys that we provide, when you interact with our product for the first time there will be 1 test ETH seeded into your wallet, this should allow you plenty of opportunities to interact with our modal and attempt to discover vulnerabilities.\n\nPlease refer to the structured scopes section below to find our in-scope assets.\n**We will put more emphasis on the following security vulnerabilities:**\n\n* Modify user sensitive data\n* Unauthorized user digital assets transfer\n\n##Known Vulnerabilities\n* **Bugs involving bypass of SMS/2FA verification are known issues and will be considered duplicates**\n\n## Out of scope vulnerabilities\nAll vulnerabilities that require or are related to the following are out of scope:\n\n* Hijacking developer API public keys\n* Domain spoofing\n* DDoS on our systems as well as our providers systems (i.e SMS provider)\n* Social engineering\n* Physical security\n* Previously known vulnerable libraries without a working Proof of Concept\n* Non-security-impacting UX issues\n* Man-in-the-Middle attacks\n* Ability to abuse any existing blockchain functionality\n* Features/links that lead to or are provided by external providers i.e our Typeform integrations, [developer docs](docs.fortmatic.com), etc.\n\n## Additionally out of scope\n* **Our API endpoint (api.fortmatic.com/api.magic.link) is out of scope for DDoS (any activity that could lead to the disruption of our service)**\n* **Any other subdomain that is not listed in the structured scopes section below**\n\n## Safe Harbor\nTo encourage responsible disclosures, we will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider security research and vulnerability disclosure activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA and applicable anti-hacking laws such as Cal. Penal Code 502(c). We waive any DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\nIf legal action is initiated by a third party against you and you have complied with this bug bounty policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\nYou are expected, as always, to comply with all applicable laws.\nPlease submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThis document contains material from the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) project, which can be found on [github](https://github.com/EdOverflow/legal-bug-bounty).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-06-24T16:49:33.158Z"},{"id":3637184,"new_policy":"#Fortmatic Bug Bounty Program\n\nFortmatic Inc. offers developers a Javascript SDK supported by a Python Flask API backend to seamlessly authenticate their users. The SDK is ultra-portable and works across all modern mobile/desktop browsers, and provides a seamless modal experience for users not unlike the feel of Stripe checkout with a *twist*. The twist is that Fortmatic is designed to be easily integrated with Ethereum applications. However worry not while we interact with the blockchain, your typical web security knowledge and intuition will transfer well to Fortmatic's assets -- you'll also find detailed treasure maps in our asset descriptions to help you get up to speed and hacking.\n\nAs a part of Fortmatic's [mission](https://fortmatic.com/about) we want to focus heavily on improving developer experience in blockchain development while keeping safety and security top of mind for all developers that use Fortmatic. We recognize the importance of maintaining security in our services in order to keep our users safe. With this bounty program, we encourage individual researchers to use this platform to engage with our services to discover security flaws in our systems. We hope to become the most trusted way for developers to integrate with blockchains with the support and help from the security community and researchers.\n\n**With that being said, we’d like to highlight the following highest priority assets as a focal point for this Bug Bounty Program:**\n\n* Developers and users sensitive information\n* Asset security\n\n## Program Policy\nComplying with the Bug Bounty Program policy requires researchers to adhere to our “Disclosure Policy” section below.\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n* **Please DO NOT perform testing on OUT OF SCOPE assets. Reports for out of scope assets will be closed as N/A, resulting in negative reputation gain.** \n\n## Test Account Creation\nThe best way to get started with the program is to navigate to our [developer dashboard](https://dashboard.fortmatic.com) and sign-up for a developer account. This will give you access to API keys which can be used to access our assets as well as a comprehensive set of docs to get started. Futhermore, as the dashboard is an in-scope asset, you may just find inspiration for an exploit while signing up and familiarizing yourself with it's features.\n\n## Response Targets\nFortmatic Inc. will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 14 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Follow Fortmatic’s [Developer Terms \u0026 Conditions](https://www.fortmatic.com/legal/developer-terms-conditions)\n* Follow Fortmatic’s [Developer API \u0026 SDK License Agreement](https://www.fortmatic.com/legal/developer-license-agreement)\n\nIn addition, we ask that the following policies be adhered to as well:\n- Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Fortmatic.\n- Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\n## In scope vulnerabilities\nIn this bounty program, all software vulnerabilities in services provided by Fortmatic are considered in scope. Please visit our [documentation](https://docs.fortmatic.com/) to get you set up with our products (you'll be up and running in \u003c5 minutes). You will be testing with the API test keys that we provide, when you interact with our product for the first time there will be 1 test ETH seeded into your wallet, this should allow you plenty of opportunities to interact with our modal and attempt to discover vulnerabilities.\n\nPlease refer to the structured scopes section below to find our in-scope assets.\n**We will put more emphasis on the following security vulnerabilities:**\n\n* Modify user sensitive data\n* Unauthorized user digital assets transfer\n\n##Known Vulnerabilities\n* **Bugs involving bypass of SMS/2FA verification are known issues and will be considered duplicates**\n\n## Out of scope vulnerabilities\nAll vulnerabilities that require or are related to the following are out of scope:\n\n* Hijacking developer API public keys\n* Domain spoofing\n* DDos our SMS providers\n* Social engineering\n* Physical security\n* Previously known vulnerable libraries without a working Proof of Concept\n* Non-security-impacting UX issues\n* Ability to abuse any existing blockchain functionality\n* Features/links that lead to or are provided by external providers i.e our Typeform integrations, [developer docs](docs.fortmatic.com), etc.\n\n## Additionally out of scope\n* **Our API endpoint (api.fortmatic.com) is out of scope for DDoS (any activity that could lead to the disruption of our service)**\n* **Any other subdomain that is not listed in the structured scopes section below**\n\n## Safe Harbor\nTo encourage responsible disclosures, we will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider security research and vulnerability disclosure activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA and applicable anti-hacking laws such as Cal. Penal Code 502(c). We waive any DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\nIf legal action is initiated by a third party against you and you have complied with this bug bounty policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\nYou are expected, as always, to comply with all applicable laws.\nPlease submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThis document contains material from the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) project, which can be found on [github](https://github.com/EdOverflow/legal-bug-bounty).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-06-09T18:47:04.641Z"},{"id":3633745,"new_policy":"#Fortmatic Bug Bounty Program\n\nFortmatic Inc. offers developers a Javascript SDK supported by a Python Flask API backend to seamlessly authenticate their users. The SDK is ultra-portable and works across all modern mobile/desktop browsers, and provides a seamless modal experience for users not unlike the feel of Stripe checkout with a *twist*. The twist is that Fortmatic is designed to be easily integrated with Ethereum applications. However worry not while we interact with the blockchain, your typical web security knowledge and intuition will transfer well to Fortmatic's assets -- you'll also find detailed treasure maps in our asset descriptions to help you get up to speed and hacking.\n\nAs a part of Fortmatic's [mission](https://fortmatic.com/about) we want to focus heavily on improving developer experience in blockchain development while keeping safety and security top of mind for all developers that use Fortmatic. We recognize the importance of maintaining security in our services in order to keep our users safe. With this bounty program, we encourage individual researchers to use this platform to engage with our services to discover security flaws in our systems. We hope to become the most trusted way for developers to integrate with blockchains with the support and help from the security community and researchers.\n\n**With that being said, we’d like to highlight the following highest priority assets as a focal point for this Bug Bounty Program:**\n\n* Developers and users sensitive information\n* Asset security\n\n## Program Policy\nComplying with the Bug Bounty Program policy requires researchers to adhere to our “Disclosure Policy” section below.\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n## Test Account Creation\nThe best way to get started with the program is to navigate to our [developer dashboard](https://dashboard.fortmatic.com) and sign-up for a developer account. This will give you access to API keys which can be used to access our assets as well as a comprehensive set of docs to get started. Futhermore, as the dashboard is an in-scope asset, you may just find inspiration for an exploit while signing up and familiarizing yourself with it's features.\n\n## Response Targets\nFortmatic Inc. will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 14 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Follow Fortmatic’s [Developer Terms \u0026 Conditions](https://www.fortmatic.com/legal/developer-terms-conditions)\n* Follow Fortmatic’s [Developer API \u0026 SDK License Agreement](https://www.fortmatic.com/legal/developer-license-agreement)\n\nIn addition, we ask that the following policies be adhered to as well:\n- Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Fortmatic.\n- Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\n## In scope vulnerabilities\nIn this bounty program, all software vulnerabilities in services provided by Fortmatic are considered in scope. Please visit our [documentation](https://docs.fortmatic.com/) to get you set up with our products (you'll be up and running in \u003c5 minutes). You will be testing with the API test keys that we provide, when you interact with our product for the first time there will be 1 test ETH seeded into your wallet, this should allow you plenty of opportunities to interact with our modal and attempt to discover vulnerabilities.\n\nPlease refer to the structured scopes section below to find our in-scope assets.\n**We will put more emphasis on the following security vulnerabilities:**\n\n* Modify user sensitive data\n* Unauthorized user digital assets transfer\n\n##Known Vulnerabilities\n* **Bugs involving bypass of SMS/2FA verification are known issues and will be considered duplicates**\n\n## Out of scope vulnerabilities\nAll vulnerabilities that require or are related to the following are out of scope:\n\n* Hijacking developer API public keys\n* Domain spoofing\n* DDos our SMS providers\n* Social engineering\n* Physical security\n* Previously known vulnerable libraries without a working Proof of Concept\n* Non-security-impacting UX issues\n* Ability to abuse any existing blockchain functionality\n* Features/links that lead to or are provided by external providers i.e our Typeform integrations, [developer docs](docs.fortmatic.com), etc.\n\n## Additionally out of scope\n* **Our API endpoint (api.fortmatic.com) is out of scope for DDoS (any activity that could lead to the disruption of our service)**\n* **Any other subdomain that is not listed in the structured scopes section below**\n\n## Safe Harbor\nTo encourage responsible disclosures, we will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider security research and vulnerability disclosure activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA and applicable anti-hacking laws such as Cal. Penal Code 502(c). We waive any DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\nIf legal action is initiated by a third party against you and you have complied with this bug bounty policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\nYou are expected, as always, to comply with all applicable laws.\nPlease submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThis document contains material from the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) project, which can be found on [github](https://github.com/EdOverflow/legal-bug-bounty).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-03-23T18:04:46.486Z"}]