Shopify
Merchant trust and safety is our #1 priority; our maximum bounty of $100,000 reflects that.
If you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a @wearehackerone.com email address. We have a list of known issues you should review before reporting.
We pay our bounties based on CVSS scores using our CVSS Bounty Calculator.
Happy Hacking!
Shopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the In Scope properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly your-store.myshopify.com/admin) and certain ancillary applications.
We look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:
Reply to all reports within one business day and triage within two business days (if applicable)
Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports
Award bounties within a week of triage (excluding extenuating circumstances)
Only close reports as N/A when the issue reported is included in Known Issues, Ineligible Vulnerabilities Types or lacks evidence of a vulnerability
Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.
If a duplicate report demonstrates a higher CVSS (e.g., a proof of concept with PR:N required versus PR:L on the original report), we re-calculate the CVSS and pay the bounty difference to the duplicate reporter.
We encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.
You must use a bug bounty partner account to create shops for testing or use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop. Doing so may also give you access to new features on your shop before the feature is fully released.
Vulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.
The scope of the bug bounty program is limited to the domains listed at the bottom of this page. Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward. For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.
All software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our sandboxed script execution environment, the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.
If you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.
Bounty amounts will be determined using our CVSS Bounty Calculator. In most cases, we will only triage and reward vulnerabilities with a CVSS score greater than 0. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact, and make a change as a result of the report.
While our bounty table states the minimum bounty per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for Confidentiality, Integrity and Availability Requirements.
"Shopify Core" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the "Non-Core" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.
Certain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Reward Criteria.
The following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as Not Applicable:
XSS - Storefront - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).
XSS - iFrames - Any issue related to the storefront area being displayed in a <iframe> element in the admin area, for example in the Theme Editor.
XSS - Rich Text Editor - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the Blogs and Pages section of the Shopify admin.
XSS - Shopify CDN - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.
Arbitrary file upload - Shopify CDN - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN.
CSRF access to modify cart
CSRF for Login or Logout - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact
Insecure cookie handling for account identifying cookies
Staff access to /admin/settings/shop.json with no permissions (also applies to account.json, users.json and locations.json) - These endpoints are intentionally available to all staff.
Password reset tokens don’t expire when changing email address
Email address change doesn’t require verification
Tab nabbing
Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)
Insecure “Opening Soon” password
Reflected XSS that requires full control of an HTTP header, such as Referer, Host, etc.
User or store name enumeration
CSV / formula injection
Hyperlink injection
Mobile application biometrics bypass
Lack of domain verification when adding a custom domain to your shop.
Staff members with "Edit Permissions" removing permissions they do not have themselves
Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.
Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.
User permission issues in Stocky
Shopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as Not Applicable:
Distributed Denial of Service
Content spoofing
Social Engineering, including phishing
Email flooding
Unconfirmed reports from automated vulnerability scanners
Disclosure of server or software version numbers
Generic examples of Host header attacks without evidence of the ability to target a remote victim
Reports related to permitted password strength
Lack of mobile binary protection, mobile SSL pinning
Theoretical sub-domain takeovers with no supporting evidence
Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system
Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.
Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.
Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)
Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches)
Open Redirects without demonstrating additional security impact (such as stealing auth tokens)
Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers
False reports, or reports lacking evidence of a vulnerability
Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit)
The following rules must be followed in order for any rewards to be paid:
You may only test against shops you have created which include your HackerOne YOURHANDLE @ wearehackerone.com registered email address.
You must not attempt to gain access to, or interact with, any shops other than those created by you.
The use of commercial scanners is prohibited (e.g., Nessus).
Rules for reporting must be followed.
Do not disclose any issues publicly before they have been resolved.
Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.
Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.
You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.
You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.
By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.
All content submitted by you to Shopify under this program is licensed under the MIT License.
You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.
Failure to follow any of the foregoing rules will disqualify you from participating in this program.
This program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.
Shopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.
Upon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.
For our newest product updates, keep an eye on our Core Change Log and Partners Blog.
| Scope Type | Scope Name |
|---|---|
| other | Shopify Developed Apps |
| other | Shopify Mobile Applications |
| other | Shopify Third Party Apps |
| other | Shopify Third Party Store |
| other | Shopify Scripts Platform |
| web_application | your-store.myshopify.com |
| web_application | accounts.shopify.com |
| web_application | partners.shopify.com |
| web_application | exchangemarketplace.com |
| web_application | *.shopify.com |
| web_application | *.shopifykloud.com |
| web_application | *.shopifycloud.com |
| web_application | linkpop.com |
| web_application | shopifyinbox.com |
| web_application | shop.app |
| web_application | shopify.plus |
| web_application | arrive-server.shopifycloud.com |
| Scope Type | Scope Name |
|---|---|
| other | Other |
| other | Spam |
| web_application | shopify.asia |
| web_application | investors.shopify.com |
| web_application | livechat.shopify.com |
| web_application | cdn.shopify.com |
| web_application | hackerone.com |
| web_application | *.shopify.io |
| web_application | *.email.shopify.com |
| web_application | go.shopify.com |
| web_application | partner-training.shopify.com |
| web_application | community.shopify.com |
| web_application | spotify.com,*.spotify.com |
Firebounty have crawled on 2015-04-09 the program Shopify on the platform Hackerone.
FireBounty © 2015-2024
