Magento Admin Brute Force Bounty Contest

Contest 1 (two separate payouts): Brute force the Magento admin on two domains

  • Text to (303) 317-2059 to get instructions

Prize: Varies per severity of bug.

How to claim the prize:

    i. Brute force the admin area of either domain,
    ii. There’s a saved, unplublished block that includes a hash and some additional instructions. Copy that info and send a Twitter Direct Message to @bradcanderson.

In the event multiple people are successful at the same time, the first received and verified DM wins.

Bounty paid via Bitcoin.

Limits and Exclusions:
This is an admin brute force contest only. The only reward is for gaining admin access to the Magento admin area. We reserve the right to stop this contest at anytime. EVERYTHING else is out of scope including but not limited to reporting:

  • Missing HttpOnly flags
  • Secure flag
  • Browser Cache vulnerabilities
  • Usability issues
  • Misconfigurations
  • https/http availability
  • Cipher suites
  • Vulnerabilities related to 3rd-party software (Java plugins etc) are not in scope.
  • Site hijacking
  • Form spam
  • MIME
  • Brute forcing anything else including ssh (your IPs will be blocked permanently – don’t burn IPs on a contest)
  • Password resetting issues
  • Expiring sessions

Magento Hosting & Development
If you need Magento hosting or development work we’d love to chat.

If you’re at the annual Magento conference Imagine 2016 in Las Vegas we’d love to meet up and discuss what projects that you’re working on or what work you have.