Magic's Commitment to Product Security

At Magic, we understand the importance of safeguarding user data and maintaining trust. Core to our security philosophy is ensuring we continually improve our security posture, and our commitment to staying ahead of potential vulnerabilities across our entire product suite is unwavering. 

Our constructive collaboration with ethical hackers and security researchers is a testament to our dedication to, and our investment in, product security. Magic partners with HackerOne—an industry-leading bug bounty platform. Together, we run a bug bounty program in which we encourage participants to submit bug reports in return for reward bounties. We believe that running a community-driven bug bounty program helps to ensure that we identify vulnerabilities before they can be exploited and make necessary changes swiftly. These types of community engagements ultimately help to build trust and enable constructive collaboration with researchers. 

"HackerOne is proud to partner with Magic, using the expertise of top hackers to fortify the company’s attack surface and keep user data safe,” said Josh Jacobson, Director, Security Advisory Services at HackerOne. “Magic’s dedication to openness and constant betterment truly sets a remarkable standard. As a key connector between the global hacker community and businesses, we’re proud to amplify Magic’s engagement with these skilled individuals." 

Recently, Magic further demonstrated our commitment to safeguarding user data by offering solutions to two separate findings from HackerOne. While these findings were not vulnerabilities in Magic’s software or systems in itself, Magic chose to invest in building and releasing several security-centric innovations to our user experience.

#Clickjacking

One such issue was related to “clickjacking,” wherein the styling on a webpage could be used against unsuspecting page visitors by having them take actions they may not have wanted. To defend against the clickjacking approach, Magic added an additional verification step that now requires users to confirm sensitive wallet actions. This helps protect end-user activity from style-based attacks while minimizing additional user friction.

#Synchronous Phishing

The second issue was an attack vector we call synchronous phishing. In these instances, a malicious actor can attempt to “phish” a user to enter information and co-opt their account synchronously with them attempting to log in. To protect against this phishing attack, Magic added a device verification flow. By providing device verification to protect our customers’ authentication flows, Magic has taken a significant step in securing our customers’ and end-users’ data and digital assets.

These remediations against non-traditional software security vulnerabilities serve as an example of Magic’s commitment to security and the benefits of collaboration with the external research community.

Maintaining our product security is a collaborative effort, and we work with other companies (even competitors) to collaboratively make Web3 safer for everyone. We welcome productive participation in our bug bounty program in which participants can submit bug reports that follow disclosure guidelines for reward bounties. While most researcher interactions are positive and collaboration is constructive, Magic has recently seen instances where a researcher has taken actions that directly violate Magic and HackerOne’s ethical disclosure guidelines and put users and their data at risk. These guidelines outline ethical security practices which are the pillars of any successful bug bounty program. In order to uphold the integrity of the program, Magic has occasionally made the difficult choice to remove researchers from the program and not pay out a bounty in instances where program policies have been violated. We value and appreciate the contributions of the external research community and are committed to the benefits of a successful bug bounty program.

As Magic continues to innovate and improve our security posture, we invite all researchers to take part in our bug bounty program with HackerOne. We believe encouraging interactions with researchers around the globe aligns with our commitment to investing in product security and innovating across our entire product suite.