Rewards

Get rewarded for your hard work

Most reports are scored with our Shopify Bug Bounty Severity Calculator, which determines your reward based on impact and severity. For unique reports that don’t quite fit the calculator, we use a Precedents payout structure to ensure you're still rewarded. And, our bonus structure lets you earn extra for outstanding contributions.

Most reports are scored with our Shopify Bug Bounty Severity Calculator, which determines your reward based on impact and severity. For unique reports that don't quite fit the calculator, we use a Precedents payout structure to ensure you're still rewarded.

Note that for reports with limited scalability, the bounty amount for the respective score may vary from what is listed here.

And, our bonus structure lets you earn extra for outstanding contributions.

Critical

Shopify considers vulnerabilities with the following scores to be critical impact.

$90,000 - $200,000

9.0
$90k
9.1
$100k
9.2
$110k
9.3
$120k
9.4
$130k
9.5
$140k
9.6
$150k
9.7
$160k
9.8
$170k
9.9
$180k
10.0
$200k

High

Shopify considers vulnerabilities with the following scores to be high impact.

$17,000 - $85,000

8.0
$40k
8.1
$45k
8.2
$50k
8.3
$55k
8.4
$60k
8.5
$65k
8.6
$70k
8.7
$75k
8.8
$80k
8.9
$85k
7.0
$17k
7.1
$19k
7.2
$21k
7.3
$23k
7.4
$25k
7.5
$27k
7.6
$29k
7.7
$31k
7.8
$33k
7.9
$35k

Medium

Shopify considers vulnerabilities with the following scores to be medium impact.

$1,300 - $10,000

6.0
$7.3k
6.1
$7.6k
6.2
$7.9k
6.3
$8.2k
6.4
$8.5k
6.5
$8.8k
6.6
$9.1k
6.7
$9.4k
6.8
$9.7k
6.9
$10k
5.0
$4.3k
5.1
$4.6k
5.2
$4.9k
5.3
$5.2k
5.4
$5.5k
5.5
$5.8k
5.6
$6.1k
5.7
$6.4k
5.8
$6.7k
5.9
$7k
4.0
$1.3k
4.1
$1.6k
4.2
$1.9k
4.3
$2.2k
4.4
$2.5k
4.5
$2.8k
4.6
$3.1k
4.7
$3.4k
4.8
$3.7k
4.9
$4k

Low

Shopify considers vulnerabilities with the following scores to be low impact.

$500 - $1,000

<3.0
$500
3.1
$550
3.2
$600
3.3
$650
3.4
$700
3.5
$750
3.6
$800
3.7
$850
3.8
$900
3.9
$1k

Leaked Credentials

$0-$500

Reports of leaked credentials are evaluated on a case by case basis and actioned based on Shopify's assessment of impact.

Credentials must:

  • Be submitted in accordance with leaked in credential submission rules & guidance
  • Be valid and unknown to us
  • Lead to corrective action being taken

Hackers must not split bulk credential finds into separate reports to maximize payout. Doing so may lead to report disqualification and a temporary ban for the hacker.

Reports related to leaked API keys or secrets will be evaluated and rewarded based on their assessed impact.

Information disclosures not caused by vulnerabilities

$50

Reports of information disclosures not resulting from a vulnerability in our systems are evaluated on a case by case basis and actioned based on Shopify's assessment of impact.

Examples include accidentally exposed documents containing sensitive information.

Reward: $50 if information reported has a measurable security impact that prompts action.

Staff permission discrepancies

$50 or $500

Reports of discrepancies in staff permissions—how they are applied, communicated, and enforced— are evaluated and rewarded under this model.

Reports on broken access control vulnerabilities are assessed and rewarded using our standard rewards calculator, NOT this model.

Our granular permission model can be complex. What may seem like a vulnerability is often intentional behavior.

For these reports, if impact is not measurable by Shopify's Bug Bounty Calculator but prompts us to make changes, we will reward under the “Staff permission discrepancy” model.

Reward: $50 if the report leads to improvements in documentation or UX.

Reward: $500 if the report leads to changes in permission behavior or removal of a permission.

Availability impacts to a single store

$500

Reports on the potential to impact availability of a specific store are rewarded under this model.

Reports that describe the ability to impact Availability of an entire service or component are assessed and rewarded using our standard rewards calculator, NOT this model.

Reward: $500 if the report leads to improvements in documentation or UX treatment as a result of this report.

Dangling DNS or subdomain takeovers

$50 or $500

Reports demonstrating the ability to claim a Shopify domain due to DNS misconfigurations.

Reward: $50 - Informative - When our automation catches and resolves an issue after it was reported and before we triage it.

Reward: $500 if the report leads to corrective action.

Demonstrating that the domain in question is still actively receiving sensitive traffic may result in the report being rewarded at a higher level.

Third Party Systems

$100 or $500

Reports detailing a security issue in a 3rd party system that Shopify uses, but does not own and is not fully within our control.

$100 - Triage & Resolved - For low to medium severity security issues for which Shopify is able to make a change to mitigate the finding.

$ 500 - Triage & Resolved - For high to critical severity security issues for which Shopify is able to make a change to mitigate the finding.

Patch Provided

+10% of bounty awarded

Reports that provide a valid, high quality solution used by Shopify to mitigate the issue.

Discretionary

10% of bounty up to $5k

Additional rewards determined at the discretion of our bug bounty award panel. This may be awarded for well written, clear, and concise reports.

Campaigns

Varies

Special limited-time bonuses (stay tuned!)