Authentication and Accounts Campaign - June 8 to June 26

1.25–2× payouts on auth bypass, MFA, OAuth/SSO/SAML, session management, and account takeover. Public, 3-week window.

View Scope

Shopify Bug Bounty

We take merchant trust and safety very seriously. Our maximum bounty of $200,000 reflects that.

Last Updated: June 11, 2026 at 8:00 PM UTC

Program statistics

These statistics may vary from those reported by HackerOne due to differences in data collection and reporting criteria.

9 353 973 USD

Total bounties paid

740 220 USD

Total bounties paid this year

150 400 USD

Total bounties paid this month

1,682

Reports received in the last 90 days

2,409

Total Reports Resolved To Date

Submit a vulnerability

1

Review rules and/or scope

Start by exploring our scope, eligibility and known issues to understand how to discover vulnerabilities effectively.

2

Submit report

Once you’ve identified a vulnerability, submit your report to us for review.

3

Keep up with the process

Stay informed throughout the process of our Bug Bounty workflow.

Resources

Shopify’s Updated Bug Bounty Calculator

Our vulnerability scoring just got sharper.

Read now 

A Look Inside Our Bug Bounty Process

Discover the journey your report takes from submission to resolution.

Read now 

Getting Started in our Bug Bounty Program

Learn the first steps to take in our program, including creating an account and testing guidelines.

Read now