Score
Jump to scoreCalculator
Bug Bounty Severity Calculator
This calculator is used to calculate bounties for vulnerabilities reported to our Bug Bounty Program on HackerOne. While our calculator is inspired by the Common Vulnerability Scoring System (CVSS 3.0), there is not a direct mapping between our calculator and CVSS 3.0. Our scoring system takes into consideration Shopify specific context and our current threat model.

Attack Vector
This metric reflects the context by which vulnerability exploitation is possible. The Base Score increases the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component.
Select what type of vector
Attack Complexity
This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. Such conditions may require the collection of more information about the target, the presence of certain system configuration settings, or computational exceptions.
Measurable effort to exploit
Merchants: Extensive knowledge of target merchant, specific shop configuration, etc.; Shopify: Multiple post-exploitation steps, significant recon, overcoming mitigations/detections, etc.
Vector's value:
Low
Privileges Required
This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. This Base Score increases as fewer privileges are required.
Requires privileged account
Merchants: requires an account on target shop or partners organization; Shopify: requires access to account to claim subdomain/rubygem, etc.
Does the attacker need extensive permissions?
Merchants: Self-registered accounts are not considered privileged in this context. Requires powerful permission, such as the "Settings" permission; Shopify: Requires access to restricted or beta features, sandboxed environment, etc.
Vector's value:
None
User Interaction
This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The Base Score is highest when no user interaction is required.
Victim performs an action during exploit?
Eg. Click link or button, perform Shopify ID account merge, etc.
Vector's value:
None
Scope Change
Does a successful attack affect a system beyond those already in scope of the vulnerable system? If so, the Base Score increases and the Confidentiality, Integrity and Availability metrics should be scored relative to the impacted component.
Can the attacker impact a separate service?
Merchants: Using Partners to access arbitrary stores; Shopify: Lateral movement to other network services
Vector's value:
Unchanged
Confidentiality
This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by or disclosure to unauthorized ones.
Data impact?
If the data impacted is sensitive in nature or includes PII, choose High
Does this impact scale to the rest of the service?
For example, in the case of Shopify, could this vector be reasonably scaled to impact any arbitrary Store or does the vector limit the impact to a subset of Stores?
Vector's value:
None
Integrity
This metric measures the impact to the integrity of a system or data due to a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information resources.
Data impact?
If the data impacted is sensitive in nature or includes PII, choose High
Does this impact scale to the rest of the service?
For example, in the case of Shopify, could this vector be reasonably scaled to impact any arbitrary Store or does the vector limit the impact to a subset of Stores?
Vector's value:
None
Availability
This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. It refers to the loss of availability of the impacted component itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted component.
Level of disruption to network service?
How much of the service is impacted?
Merchants: How many merchants? Shopify: How many services? If any are core, choose Most or All
Vector's value:
None
Environment
Refer to the Scope page for details on which assets are considered Core and which assets are considered Non-Core.
Score
Score
0.0
Bounty
$ 0
*Not scalable to most or all of Shopify
Severity
None
Vector String
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N