Guidelines
Rules & FAQ
These rules ensure a fair, respectful, and legally compliant environment. Whether you're new or experienced, review them carefully to understand your responsibilities and the expected standards of conduct.
The rules must be followed in order for any rewards to be paid. Failure to follow any of the foregoing rules will disqualify you from participating in this program.

Frequently Asked Questions
We pay bounties based on severity scores as outlined in our Rewards payout structures. We make a best effort to award bounties within one week of triage.
Scope change is determined by whether the vulnerable asset should have the ability to impact the affected asset, not just by the fact that multiple assets are involved. Scope Change occurs when a vulnerability in one asset impacts another asset that it should not have authority over.
Examples:
Examples:
Examples:
- Vulnerability found in: Asset A (e.g., admin.shopify.com)
- Vulnerability impacts: Asset B (e.g., internal-service.shopify.com)
- Result: Scope change applies because Asset A should not have the authority to impact Asset B
Examples:
- Vulnerability found in: Asset A (e.g., admin.shopify.com)
- Vulnerability impacts: Asset B (e.g., *.myshopify.com)
- Result: Scope change does not apply because Asset A has the authority to impact Asset B
In our commitment to maintaining a secure environment, we value your assistance in identifying DoS vulnerabilities that meet our specific criteria. Generally:
- We only consider DoS issues that can be triggered by a single user with a single request.
- We only consider DoS issues that cause a significant disruption to the *entire service, not just an individual shop or instance
- Note: We explicitly do not accept any kind of DDOS (Distributed Denial of Service) issues.
- Slow requests that eventually complete successfully without rendering the service unavailable to others do not constitute an availability impact for our program.
- Make every effort to avoid an actual DoS on our services.
- Start small.
- Increase efforts incrementally.
- As soon as you start to see a degradation in a service you are testing, please stop testing and submit a report.
- The URL of the page that is vulnerable to DoS
- The X-Request-ID of the HTTP response that causes the DoS
- The HTTP request that causes the DoS
- The HTTP response that is returned by the server after the DoS has been triggered
- The time it takes for the DoS to be triggered
Please refer to the resource article section on why some reports may be closed as N/A
Public (and not archived) repositories available under the Shopify organization on GitHub are in scope of our program.
We welcome videos accompanying submissions provided that they:
- Are accompanied by matching written proof-of-concept steps in the report itself
- Are concise and effective at demonstrating your proof of concept
- Ensure any vital details included in your video, such as a Request-Id, are also included in your written instructions
We encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines. Please follow the steps outlined here.
If you have asked a question in a report and have not received a response within two weeks, please file a mediation request. Raising a mediation request will allow HackerOne to notify us, ensuring visibility of your inquiry and helping us address your concerns more promptly.
Our email address is intended for questions about the program, for example, if you need clarification about a policy or scope, emailing us at bugbounty@shopify.com is a great place to start. Please keep all communications about vulnerabilities and report decisions in your reports. If you have asked a question in a report and have not received a response within two weeks, please file a mediation request. Raising a mediation request will allow HackerOne to notify us, ensuring visibility of your inquiry and helping us address your concerns more promptly.
There are certain classes of behavior that do not represent any relevant severity impact. We are still interested in hearing about functional issues through other existing channels. If you would like to report functional issues to us, you can use the following mediums:Note that behavior reported via these channels is in no way associated with the Bug Bounty program.
We would love to hear from you. You can submit your feedback and suggestions via our feedback form.
Please refer to Shopify help center.