Calculator

Bug Bounty

Rewards
Criteria
FAQ
Calculator
Resources

Submit a vulnerability

Score

Jump to score

Score0.0

Bounty$ 0

SeverityNone

Bug Bounty Severity Calculator

This calculator is used to calculate bounties for vulnerabilities reported to our Bug Bounty Program on HackerOne. While our calculator is inspired by the Common Vulnerability Scoring System (CVSS 3.0), there is not a direct mapping between our calculator and CVSS 3.0. Our scoring system takes into consideration Shopify specific context and our current threat model.

Submit a vulnerability

Attack Vector

This metric reflects the context by which vulnerability exploitation is possible. The Base Score increases the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component.

Select what type of vector

Network

Adjacent

Local

Physical

Attack Complexity

This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. Such conditions may require the collection of more information about the target, the presence of certain system configuration settings, or computational exceptions.

Vector's value:Low

Measurable effort to exploit

Merchants: Extensive knowledge of target merchant, specific shop configuration, etc.; Shopify: Multiple post-exploitation steps, significant recon, overcoming mitigations/detections, etc.

Yes

Privileges Required

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. This Base Score increases as fewer privileges are required.

Vector's value:None

Requires privileged account

Merchants: requires an account on target shop or partners organization; Shopify: requires access to account to claim subdomain/rubygem, etc.

Yes

Does the attacker need extensive permissions?

Merchants: Self-registered accounts are not considered privileged in this context. Requires powerful permission, such as the "Settings" permission; Shopify: Requires access to restricted or beta features, sandboxed environment, etc.

Yes

User Interaction

This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The Base Score is highest when no user interaction is required.

Vector's value:None

Victim performs an action during exploit?

Eg. Click link or button, perform Shopify ID account merge, etc.

Yes

Scope Change

Does a successful attack affect a system beyond those already in scope of the vulnerable system? If so, the Base Score increases and the Confidentiality, Integrity and Availability metrics should be scored relative to the impacted component.

Vector's value:Unchanged

Can the attacker impact a separate service?

Merchants: Using Partners to access arbitrary stores; Shopify: Lateral movement to other network services

Yes

Confidentiality

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by or disclosure to unauthorized ones.

Vector's value:None

Data impact?

If the data impacted is sensitive in nature or includes PII, choose High

None

Low

High

Does this impact scale to the rest of the service?

For example, in the case of Shopify, could this vector be reasonably scaled to impact any arbitrary Store or does the vector limit the impact to a subset of Stores?

Yes

Integrity

This metric measures the impact to the integrity of a system or data due to a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information resources.

Vector's value:None

Data impact?

If the data impacted is sensitive in nature or includes PII, choose High

None

Low

High

Does this impact scale to the rest of the service?

For example, in the case of Shopify, could this vector be reasonably scaled to impact any arbitrary Store or does the vector limit the impact to a subset of Stores?

Yes

Availability

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. It refers to the loss of availability of the impacted component itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted component.

Vector's value:None

Level of disruption to network service?

None

Degraded service and/or some downtime

Complete disruption and significant downtime

How much of the service is impacted?

Merchants: How many merchants? Shopify: How many services? If any are core, choose Most or All

Some

Most or All

Environment

Refer to the Scope page for details on which assets are considered Core and which assets are considered Non-Core.

Core

Non-Core

Score

Report copied!

Copy Report

Score

0.0

Bounty

$ 0

*Not scalable to most or all of Shopify

Severity

None

Vector String

About
Updates
Feedback