Criteria

Issues eligibility, scope and guidelines

Discover which issues fall into the known and illegible issues categories and the rules to participating in the program.

Some Cross-Site Scripting (XSS)

At Shopify we allow merchants to use HTML in their store descriptions, product descriptions, and other fields. We do not consider this a vulnerability.

The following XSS (Cross-Site Scripting) types are explicitly out of scope for this program:

  • XSS Storefront - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).
  • XSS - iFrames - Any issue related to the storefront area being displayed in a iFrame element in the admin area, for example in the Theme Editor.
  • XSS - Rich Text Editor - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the Blogs and Pages section of the Shopify admin.
  • XSS - Shopify Checkout - Any issue where a store staff member is able to insert javascript in the checkout area of their own store (this includes *.shopifypreview.com).
  • XSS - Set Header -Any issue that requires full control of an HTTP header, such as Referer, Host, etc.
  • XSS - Inspect Element/Console - Any issue that requires the use of the browser's developer tools to execute javascript.
  • XSS - Self-XSS - Any issue without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.

Some Cross-Site Request Forgery (CSRF)

The following CSRF (Cross-Site Request Forgery) types are explicitly out of scope:

  • CSRF access to modify cart
  • CSRF for Login or Logout (unless it is chained together with another vulnerability to demonstrate impact)

Content Distribution Network (CDN)

At Shopify we encourage merchants to use our CDN (static.shopify.com, cdn.shopify.com and other storage domains) to host any files they want. We do not consider this a vulnerability because this content runs in a separate context and cannot directly impact our platform.

Merchant assets are served via our CDN and run in a separate context, so they cannot directly impact our platform. This is not considered a vulnerability.

The following CDN (Content Distribution Network) issues are explicitly out of scope for this program and will be closed as Not Applicable:

  • CDN - Arbitrary file upload
  • - Any issue where a store staff member is able to upload arbitrary files to our CDN.
  • CDN - Stored XSS - Any issue where a store staff member is able to upload arbitrary files to our CDN and execute javascript in the context of a CDN domain. (static.shopify.com and cdn.shopify.com).
  • CDN - Sensitive data disclosure - All files on the Content Delivery Network (cdn.shopify.com) are public by design.

Shopify Hosted Stores

There are a number of commonly reported false positives in Shopify hosted (*.myshopify.com) stores that are not considered vulnerabilities.

The following vulnerability types will be closed as Not Applicable:

  • Staff access to:
    • /admin/settings/shop.json
    • /admin/settings/account.json
    • /admin/settings/users.json
    • /admin/settings/locations.json
  • Intended Public files:
    • payments/config.json
  • Password reset tokens don't expire when changing email address
  • Email address doesn't require verification on signup
  • Lack of domain verification when adding a custom domain to your shop.
  • Staff members with "Edit Permissions" removing permissions they do not have themselves
  • User or store name enumeration
  • Insecure "Opening Soon" password
  • User permission issues in Stocky
  • Template sanitization bypasses in Order Printer

Mobile/POS

There are a number of commonly reported false positives in the Shopify mobile applications that are not considered vulnerabilities.

The following vulnerability types will be closed as Not Applicable:

  • Physical access to the device - Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system
  • Mobile application biometrics bypass
  • Lack of mobile binary protection or SSL pinning
  • Lack of mobile application encryption
  • Issues that can only be exploited on an emulated device
  • Bruteforcing Point of Sale PINs. These are intentionally short and serve as a user selection feature, not a security control.

Core Ineligible Findings

Unless otherwise stated, HackerOne's Core Ineligible Findings guidance applies.

Third-Party Apps

Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. All Shopify developed applications are in scope for this program.

You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a response from the developer within one week. If you do so, please include the following information in your report:

  • The name of the app
  • The name of the developer
  • The URL of the app
  • The vulnerability you are reporting
  • The steps to reproduce the vulnerability
  • The impact of the vulnerability
  • The severity of the vulnerability

Please note that Shopify will not pay a bounty for vulnerabilities in third party apps and the report will be closed as "Informative".

Distributed Denial of Service

We do not accept any DDOS (Distributed Denial of Service) issues.

Open Redirect

Any issue that allows a user to be redirected to an arbitrary URL without user interaction is ineligible, unless it is chained with another vulnerability to demonstrate impact.

HTML Injection (Context specific)

Any issue that allows a user to inject arbitrary HTML into emails is ineligible, unless it is chained with another eligible vulnerability to demonstrate impact.

SSRF

SSRF is technically possible in several places, but a simple HTTP/DNS interaction alone is not considered a vulnerability. In most cases, these are closed as Informative or Not Applicable.

Race Conditions

If you find a race condition, ensure it is exploitable and would gain access to sensitive information. Race conditions that only allow access to individual paid features on an ineligible plan (e.g., bypassing staff member limits) are not eligible.

Social Engineering

Issues requiring social engineering, like phishing or impersonation of a Shopify employee, including contacting Shopify Support.

GraphQL Introspection

We intentionally expose GraphQL introspection endpoints, making them ineligible for reporting. We recommend using them as a resource.

Password complexity

Reports related to permitted password strength will be closed as Not Applicable

Staff Member Permissions

Shopify has a rich set of granular permissions that we offer in the Shopify admin and the Partners Dashboard. These are documented here.

We consider the following categories to have clear security relevance for staff member permissions. If the observed behavior does not fit these categories, assess the practical impact of the finding before reporting, as it may be closed as N/A.

  • Demonstrates the ability for a staff member to escalate their privileges to one of our Sensitive Permissions (Manage Settings, Manage Payment Settings and Themes).
    • Valid: Staff member with “orders” permission can perform an action that is normally scoped to “Manage Settings”.
    • Invalid: Staff member with “Manage Settings” permission can perform an action that is not specifically listed in the public documentation description.
  • Demonstrates a direct financial impact on the store (The request made must directly result in the impact).
    • Valid: Lowering the price of an existing product available on sales channels without the appropriate permission.
    • Invalid: Adding additional variants of a product at a lower price but without making them available on sales channels.
  • Demonstrates impact on Buyer PII that the staff member isn't already authorized for.
    • Valid: Staff members having access to read or edit Buyer PII when they aren't authorized to do so.
    • Invalid: Staff members with the “orders” permission being able read or write basic buyer information.

For staff permission issues not relevant to our bug bounty program, contact our support team by following the instructions on the FAQ page.

CVV Validation

Reports related to CVV validation during payment are not accepted. CVV validation rules may differ across markets, and Shopify implements other controls to protect merchants against fraud based attacks.

Eligibility for Rewards

  • Only test against stores you created using your HackerOne YOURHANDLE @ wearehackerone.com registered email.
  • Do not attempt to gain access to, or interact with stores you didn’t create.
  • Follow all reporting rules.
  • Do not disclose issues publicly before resolution or without permission.

Program Modifications

  • Shopify reserves the right to modify rules or invalidate submissions at any time.
  • Shopify may cancel the bug bounty program without notice at any time.

Contact Restrictions

  • Do not contact Shopify Support about the bounty program or to pre-validate reports, test against support, ask for updates, etc.. Violating this will disqualify you from receiving a reward and may result in a program ban.

Employment Status

  • You are not an employee of Shopify
  • Shopify employees must report bugs to the internal bug bounty program.

Vulnerability Reporting

  • You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.

Report Content

  • You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.
  • By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.
  • All content submitted by you to Shopify under this program is licensed under the MIT License.

Miscellaneous

  • You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship.
  • Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own.
  • There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.

Domains in scope

Asset Name

Coverage

Environment

accounts.shopify.com
In Scope
Core
admin.shopify.com
In Scope
Core
partners.shopify.com
In Scope
Core
*.shopifycs.com
In Scope
Core
shop.app
In Scope
Core
arrive-server.shopifycloud.com
In Scope
Core
shopify.plus
In Scope
Core
[your-store].myshopify.com
In Scope
Core
Shopify Developed Applications
In Scope
Non-Core
Shopify Mobile Applications
In Scope
Non-Core
Shopify Github repositories
In Scope
Non-Core
*.shopify.com
In Scope
Non-Core
*.shopifycloud.com
In Scope
Non-Core
*.shopify.io
In Scope
Non-Core
*.pci.shopifyinc.com
In Scope
Core
*.shopifykloud.com
In Scope
Non-Core
linkpop.com
In Scope
Non-Core
academy.shopify.com
Out of Scope
Non-Core
cdn.shopify.com
Out of Scope
Non-Core
community.shopify.com
Out of Scope
Non-Core
investors.shopify.com
Out of Scope
Non-Core
livechat.shopify.com
Out of Scope
Non-Core
supplier-portal.shopifycloud.com
Out of Scope
Non-Core
*.email.shopify.com
Out of Scope
Non-Core