Banner object (1)

Hack and Take the Cash !

844 bounties in database
  Back Link to program      
Shopify logo
Hall of Fame


500 $ 



Shopify's whitehat program is our way to reward security researchers for finding serious security vulnerabilities in the In Scope properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly your- and certain ancillary applications.

We look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:

  • Reply to all reports within one business day and triage within two business days (if applicable)
  • Determine security impacts transparently
  • Award bounties within a week of resolution (excluding extenuating circumstances)
  • Only close reports as N/A when the issue reported is included in Known Issues, Ineligible Vulnerabilities Types or lacks evidence of a vulnerability

All valid vulnerabilities will be awarded our minimum amount, $500, on triage with the remainder awarded on resolution.


We encourage security researchers to sign up for a whitehat partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, __.

You must use a whitehat partner account to create shops for testing or use your HackerOne email address, YOURHANDLE @ (e.g. hackerjuan @ so we can properly identify your shop. Doing so may also give you access to new features on your shop before the feature is fully released.


The scope of the whitehat program is limited to the domains listed at the bottom of this page. Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward. For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.

All software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our sandboxed script execution environment __, the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.

If you need further clarification of the rules or scope of our bug bounty program, you may email us at

Typical Bounty Amounts

In most cases, we will only reward the type of vulnerabilities that are listed below. These payouts represent the typical amount awarded per category and we reserve the right to decrease or increase any of them based on our own assessment of impact. Bounty amounts for any vulnerability type not listed below will be determined on a case by case basis at the sole discretion of Shopify.

Prior bounty amounts awarded are not precedent for future payments.

Type | Shopify Core | Non-Core
Arbitrary code execution | $10,000 - $25,000 | $2,500 - $12,500
SQL Injection | $10,000 - $20,000 | $2,500 - $10,000
Privilege escalation to shop owner | $5,000 - $15,000 | $2,000 - $7,500
Authentication bypass - login | $5,000 - $10,000 | $2,000 - $5,000
Authentication bypass - app installation | $2,500 - $7,500 | $1000 - $3,750
IDOR / Information Disclosure | $1,000 - $5,000 | $500 - $2,500
Circumvention of user permission model | $500 - $4,000 | $500 - $2,000
Server side request forgery | $500 - $4,000 | $500 - $2,000
Cross-site scripting - stored (with exceptions below) | $500 - $5,000 | $500 - $2,500
Cross-site scripting - reflected (with exceptions below) | $500 - $2,500 | $500 - $1,250
Cross-site scripting - self (with exceptions below) | $500 | $500
Cross-site request forgery | $500 - $1,500 | $500 - $750
Denial of service (with exceptions below) | $500 - $1500 | $500

" Shopify Core" includes, and It does not include Shopify apps or sales channels.

All other scopes are part of the "Non-Core" category. This category includes the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.

Self-XSS will be awarded at our sole discretion based on whether it 's reasonable to believe a Shopify admin could be tricked into executing the payload (e.g., pasting a code snippet into an applicable text field) not covered in the exclusions below.

Denial of service vulnerabilities significantly impacting application functionality will be awarded at our sole discretion, typically based on whether a single payload could render an application unavailable (e.g., rendering input which causes a store 's /admin to no longer render for any user).

Google Play Bonus

Certain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program __. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria __.

Known issues

The following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as Not Applicable :

  • XSS - Storefront - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.
  • XSS - iFrames - Any issue related to the storefront area being displayed in a <iframe> element in the admin area, for example in the Theme Editor.
  • XSS - Rich Text Editor - Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).
  • XSS - Shopify CDN - The Shopify content distribution network ( and is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.
  • Arbitrary file upload - Shopify CDN - The Shopify content distribution network ( and is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.
  • CSRF access to modify cart
  • CSRF for Login or Logout - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact
  • Insecure cookie handling for account identifying cookies
  • Staff access to /admin/settings/account.json with no permissions - Information available on this endpoint is intentionally available to all staff regardless of assigned permissions.
  • Password reset tokens don’t expire when changing email address
  • Email address change doesn’t require verification
  • Tab nabbing
  • Issues with the SPF, DKIM or DMARC records on or other Shopify domains (sometimes reported as email spoofing)
  • Insecure “Opening Soon” password
  • Reflected XSS that requires full control of an HTTP header, such asReferer, Host, etc.
  • User or store name enumeration
  • CSV / formula injection
  • Hyperlink injection
  • Open redirects - Unless an additional security impact can be demonstrated, e.g. stealing authentication tokens or XSS

Ineligible vulnerability types

Shopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as Not Applicable :

  • Distributed Denial of Service
  • Content spoofing
  • Social Engineering, including phishing
  • Unconfirmed reports from automated vulnerability scanners
  • Disclosure of server or software version numbers
  • Generic examples of Host header attacks without evidence of the ability to target a remote victim
  • Reports related to permitted password strength
  • Lack of mobile binary protection, mobile SSL pinning
  • Theoretical sub-domain takeovers with no supporting evidence
  • Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system
  • Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.
  • Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers
  • False reports, or reports lacking evidence of a vulnerability

Rules for participation

The following rules must be followed in order for any rewards to be paid:

  • You may only test against shops you have created which include your HackerOne YOURHANDLE @ registered email address.
  • You must not attempt to gain access to, or interact with, any shops other than those created by you.
  • The use of commercial scanners is prohibited (e.g., Nessus).
  • Rules for reporting must be followed.
  • Do not disclose any issues publicly before they have been resolved.
  • Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the whitehat program without notice at any time.
  • Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.
  • You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.
  • You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.
  • By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.
  • All content submitted by you to Shopify under this program is licensed under the MIT License.
  • You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.
  • Failure to follow any of the foregoing rules will disqualify you from participating in this program.


This program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.

Shopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.

Upon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.

Product Update News

For our newest product updates, keep an eye on our Core Change Log __and Partners Blog __.

In Scope

Scope Type Scope Name
android_application __







web_application __

web_application __

Out of Scope

Scope Type Scope Name
















This is Shopify, not Spotify.

Firebounty have crawled on 2016-11-07 the programe Shopify on the platform Hackerone.

FireBounty © 2015-2019

Legal notices