Shopify Scripts __is powered by a Ruby gem ( ESS __) that wraps MRuby __. It provides a sandboxed, lightweight environment where untrusted Ruby scripts can be executed safely in a way that isolates them from Shopify’s native Ruby environment. We are looking to reward any issue that affects this sandboxed environment that could put Shopify’s infrastructure or our merchants’ data at risk.

Scope

• Any issue in MRuby __, as long as it is exploitable through ESS __.
• Any issue that affects Shopify caused by a bug in MRuby __or ESS __.

Rules for participation

1. Do not test any proofs of concept on Shopify’s infrastructure, or existing Shopify stores.
2. Do not disclose issues publicly before they are resolved.
3. Only original reports will be rewarded.
4. We will reward security issues only; bugs without security implications should not be reported.
5. You agree to release any patch sent to us under the original project license (in this case, MIT License __).

Failure to follow these rules will disqualify you from participating in this program.

Maximum payouts and eligible vulnerabilities

• $20,000 for issues that directly lead to a compromise of Shopify’s infrastructure (for example, remote code execution outside ESS's seccomp-bpf sandbox, with a PoC provided).
• $10,000 for issues that would lead to a compromise of Shopify’s infrastructure if an MRuby bug allowing arbitrary code execution inside the seccomp-bpf sandbox were present (for example, a demonstration that the seccomp-bpf sandbox restrictions can be bypassed to execute arbitrary code without syscall restrictions).
• $5,000 for denial of service against Shopify’s infrastructure (for example, a crash affecting the MRI process, with a PoC provided).
• $1,000 for security issues affecting MRuby as configured in ESS (for example, a crash in the sandboxed MRuby process).
• $500 for a bypass of resource limitations (execution time, instruction count, or memory allocation).
• $200 for serialization issues, escaping issues, unsafe handling of attacker-controlled data, etc. caused by a bug in MRuby or ESS.
• $100 for security issues not affecting Shopify but affecting MRuby or ESS.

Notes:

• A proof of concept for the top bounty tier must use the version of MRuby that is specified in ESS's master branch.
• Proofs of concept for the top three bounty tiers should demonstrate an attack that is effective against the operating system we use in our production servers (presently Ubuntu 14.04 64-bit). The Vagrant environment that we provide with ESS can be used for testing.

Criteria for awarding bounties

We will use the following criteria to help us determine a final payout amount for each valid issue reported to us.

• The report demonstrates beyond a doubt that that the issue is exploitable, with a working proof of concept or any other appropriate means.
• The report includes a patch that resolves the issue. Since MRuby and ESS are open source projects, we’d like to encourage meaningful contributions that will benefit everyone.
• Difficulty of exploitation and impact will be considered as well.

Known issues

The following issues are already known to us, and will be closed as duplicates:

• Stack overflows resulting from execution of recursive Ruby code, parsing of long Ruby expressions, or printing recursive objects
• Crashes when processing untrusted RiteBinary (mrb) files
• Any issue listed at https://github.com/mruby/mruby/issues __
• Any MRuby issue caught by ESS's regression testing script __