Shopify

Bug Bounty

Rewards
Criteria
FAQ
Calculator (New).
Use the new calculator
Calculator (Legacy).
Use the legacy calculator
Resources

Submit a vulnerability

Score

Jump to score

Score0.0

Bounty$ 0

SeverityNone

Vector String

AV:N / AC:L / AT:N / PR:N / UI:N / VC:N / VI:N / VA:N / SC:N / SI:N / SA:N / V:D

Calculator

Bug Bounty Severity Calculator

This calculator is used to calculate bounties for vulnerabilities reported to our Bug Bounty Program on HackerOne. While our calculator is inspired by the Common Vulnerability Scoring System (CVSS 4.0), there is not a direct mapping between our calculator and CVSS 4.0. Our scoring system takes into consideration Shopify specific context and our current threat model.

Submit a vulnerability

Attack Vector

This metric reflects the context by which vulnerability exploitation is possible. The Base Score increases the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component.

Select what type of vector

Network

Adjacent

Local

Physical

Attack Complexity

This metric captures the actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions. High complexity indicates the attacker must take specific actions such as evading exploit mitigation techniques or obtaining target-specific secrets.

Measurable effort to exploit

Merchants: Extensive knowledge of target merchant, timing dependencies, etc.; Shopify: Multiple post-exploitation steps, significant recon, overcoming mitigations/detections, etc.

Yes

Attack Requirements

This metric captures prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. Present indicates that specific conditions must exist for successful exploitation, such as race conditions, specific system configurations, feature flags, or particular account states.

Are there any requirements for this attack to be successful?

This metric captures whether specific deployment or execution conditions (specific shop configuration or user state, etc.) are required for the successful execution of the exploit.

None

Present

Privileges Required

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. This Base Score increases as fewer privileges are required.

Requires privileged account

Merchants: requires an account on target shop or partners organization; Shopify: requires access to account to claim subdomain/rubygem, etc.

Yes

Does the attacker need extensive permissions?

Merchants: Self-registered accounts are not considered privileged in this context. Requires powerful permission, such as the "Settings" permission; Shopify: Requires access to restricted or beta features, sandboxed environment, etc.

Yes

User Interaction

This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The Base Score is highest when no user interaction is required.

Victim performs an action during exploit?

Passive: Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. Active: Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload.

None

Passive

Active

Confidentiality

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by or disclosure to unauthorized ones.

Data impact?

If the data impacted is sensitive in nature or includes PII, choose High

None

Low

High

How much impact does this attack have on another service?

Merchants: Using Partners to access arbitrary stores; Shopify: Lateral movement to other network services

None

Low

High

Integrity

This metric measures the impact to the integrity of a system or data due to a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information resources.

Data impact?

If the data impacted is sensitive in nature or includes PII, choose High

None

Low

High

How much impact does this attack have on another service?

Merchants: Using Partners to access arbitrary stores; Shopify: Lateral movement to other network services

None

Low

High

Availability

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. It refers to the loss of availability of the impacted component itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted component.

Level of disruption to network service?

If the impact to the network service results in complete disruption or significant downtime, for most or all of the service, choose High.

None

Low

High

How much impact does this attack have on another service?

Merchants: Using Partners to access arbitrary stores; Shopify: Lateral movement to other network services

None

Low

High

Automatable

This metric determines whether an exploit can be reliably automated across multiple targets with minimal adaptation. An attack is considered "Automatable" if the exploitation process can be fully automated across all stages of the chain, enabling large-scale attacks. An attack is "Not Automatable" if it requires multiple manual steps, user interaction, target-specific context, or manual discovery for each individual target.

Can this be automated across multiple targets?

No: The exploit cannot be reliably automated. It requires multiple manual steps, interaction, context-specific knowledge, or discovery for each target. Yes: The exploit can be reliably scripted to enumerate or attack many distinct targets with minimal adaptation. The exploitation process can be fully automated across all stages of the chain.

Yes

Value Density

This metric measures the depth of impact - how much sensitive information or control an attacker gains from a single exploitation event. Value Density evaluates the extent of control over Shopify resources, ranging from minor merchant data (Diffused) to comprehensive access to critical systems or large amounts of sensitive data (Concentrated). This metric focuses on the richness of what is gained per attack, not the breadth across multiple targets.

Resources gain from attack?

Diffused: Limited control or access from a single exploitation event (e.g., single merchant's data, single organization's data, individual user account compromise). Concentrated: Significant control or broad access from a single exploitation event (e.g., exposed secret with access to internal infrastructure).

Diffused

Concentrated

Environment

Refer to the Scope page for details on which assets are considered Core and which assets are considered Non-Core.

Core

Non-Core

Score

Report copied!

Copy Report

Score

0.0

Bounty

$ 0

Severity

None

Vector String

About
Updates
Feedback