|Scope Type||Scope Name|
|other||Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.|
|other||You may only test against shops you have created.|
|other||Shopify apps otherwise not listed as in scope. These are not eligible for a bounty.|
Out of Scope
|Scope Type||Scope Name|
|web_application||This is Shopify, not Spotify.|
Shopify's whitehat program is our way to reward security researchers for
finding serious security vulnerabilities in the
In Scope properties listed
at the bottom of this page, including our core application (all functionality
associated with a Shopify store, particularly
store.myshopify.com/admin) and certain ancillary applications.
We look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:
N/Awhen the issue reported is included in
Ineligible Vulnerabilities Typesor lacks evidence of a vulnerability
All valid vulnerabilities will be awarded our minimum amount, $500, on triage with the remainder awarded on resolution.
We encourage security researchers to sign up for a whitehat partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://app.shopify.com/services/partners/signup/whitehat __.
You must use a whitehat partner account to create shops for testing or use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop. Doing so may also give you access to new features on your shop before the feature is fully released.
The scope of the whitehat program is limited to the domains listed at the bottom of this page. Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward. For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.
All software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our sandboxed script execution environment __, the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.
If you need further clarification of the rules or scope of our bug bounty program, you may email us at firstname.lastname@example.org.
In most cases, we will only reward the type of vulnerabilities that are listed below. These payouts represent the typical amount awarded per category and we reserve the right to decrease or increase any of them based on our own assessment of impact. Bounty amounts for any vulnerability type not listed below will be determined on a case by case basis at the sole discretion of Shopify.
Prior bounty amounts awarded are not precedent for future payments.
Type | Shopify Core | Non-Core
Arbitrary code execution | $10,000 - $25,000 | $2,500 - $12,500
SQL Injection | $10,000 - $20,000 | $2,500 - $10,000
Privilege escalation to shop owner | $5,000 - $15,000 | $2,000 - $7,500
Authentication bypass - login | $5,000 - $10,000 | $2,000 - $5,000
Authentication bypass - app installation | $2,500 - $7,500 | $1000 - $3,750
IDOR / Information Disclosure | $1,000 - $5,000 | $500 - $2,500
Circumvention of user permission model | $500 - $4,000 | $500 - $2,000
Server side request forgery | $500 - $4,000 | $500 - $2,000
Cross-site scripting - stored (with exceptions below) | $500 - $5,000 | $500 - $2,500
Cross-site scripting - reflected (with exceptions below) | $500 - $2,500 | $500 - $1,250
Cross-site scripting - self (with exceptions below) | $500 | $500
Cross-site request forgery | $500 - $1,500 | $500 - $750
Denial of service (with exceptions below)* | $500 - $1500 | $500
Self-XSS will be awarded at our sole discretion based on whether it 's reasonable to believe a Shopify admin could be tricked into executing the payload (e.g., pasting a code snippet into an applicable text field) not covered in the exclusions below.
Denial of service vulnerabilities significantly impacting application functionality will be awarded at our sole discretion, typically based on whether a single payload could render an application unavailable (e.g., rendering input which causes a store 's /admin to no longer render for any user).
Core means your Shopify store front and administrative pages at /admin. It does not include Shopify apps or sales channels.
Non-core means other in-scope properties not found at YOURSTORE.myshopify.com, including Shopify apps and sales channels, https://apps.shopify.com/collections/made-by-shopify __
Certain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program __. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria __.
The following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as Not Applicable :
<iframe>element in the admin area, for example in the Theme Editor.
Shopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as Not Applicable :
The following rules must be followed in order for any rewards to be paid:
YOURHANDLE @ wearehackerone.comregistered email address.
This program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.
Shopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.
Upon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.