Bug Bounty

PayPal Inc Bug Bounty - JDWP Remote Code Execution Vulnerability

In the last weeks a new security researcher "Milan A Solanki" was activly reporting security bugs to paypal and ebay inc. One of his valid and verified issues was exclusivly disclosed by the vulnerability laboratory infrastructure. In april Milan A Solanki discovered a remote code execution vulnerability in the marketing online service web-application of paypal. The issue was marked as critical with a cvss count of 9.3.

The Java Debug Wire Protocol (JDWP) is the protocol used for communication between a debugger and the Java virtual machine (VM) which it debugs (hereafter called the target VM). JDWP is one layer within the Java Platform Debugger Architecture (JPDA). JDWP does not use any authentication and could be abused by an attacker to execute arbitrary code on the affected server.

Magento split up the Bug Bounty Program of Ebay - Begin 1st May

Today in the morning we received a mail message by the representatives of the magento bug bounty program.

The mail is send to all active security researchers in the official ebay inc and magento bug bounty program.

In the message the magento team announces that the active researchers should send the new reports (begin 1st may) to the official magento bug bounty source. Reason for that is a cooperative split of both programs.

"Hello Magento Researchers, beginning on May 1, Magento submissions should be directed to security@magento.com . For messages with sensitive content, please encrypt your email with our encryption key which can be found on the security center page, https://magento.com/security.”