Calculator

Score

Score0.0

Bounty$ 0

SeverityNone

Bug Bounty Severity Calculator

This calculator is used to calculate bounties for vulnerabilities reported to our Bug Bounty Program on HackerOne. While our calculator is inspired by the Common Vulnerability Scoring System (CVSS 3.0), there is not a direct mapping between our calculator and CVSS 3.0. Our scoring system takes into consideration Shopify specific context and our current threat model.

Submit a vulnerability

Attack Vector

This metric reflects the context by which vulnerability exploitation is possible. The Base Score increases the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component.

Select what type of vector

Network

Adjacent

Local

Physical

Add any additional notes about the vector:

Attack Complexity

This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. Such conditions may require the collection of more information about the target, the presence of certain system configuration settings, or computational exceptions.

Measurable effort to exploit

Yes

Merchants: Extensive knowledge of target merchant, specific shop configuration, etc.; Shopify: Multiple post-exploitation steps, significant recon, overcoming mitigations/detections, etc.

Vector's value:

Low

Add any additional notes about the vector:

Privileges Required

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. This Base Score increases as fewer privileges are required.

Requires privileged account

Yes

Merchants: requires an account on target shop or partners organization; Shopify: requires access to account to claim subdomain/rubygem, etc.

Does the attacker need extensive permissions?

Yes

Merchants: Self-registered accounts are not considered privileged in this context. Requires powerful permission, such as the "Settings" permission; Shopify: Requires access to restricted or beta features, sandboxed environment, etc.

Vector's value:

None

Add any additional notes about the vector:

User Interaction

This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The Base Score is highest when no user interaction is required.

Victim performs an action during exploit?

Yes

Eg. Click link or button, perform Shopify ID account merge, etc.

Vector's value:

None

Add any additional notes about the vector:

Scope Change

Does a successful attack affect a system beyond those already in scope of the vulnerable system? If so, the Base Score increases and the Confidentiality, Integrity and Availability metrics should be scored relative to the impacted component.

Can the attacker impact a separate service?

Yes

Merchants: Using Partners to access arbitrary stores; Shopify: Lateral movement to other network services

Vector's value:

Unchanged

Add any additional notes about the vector:

Confidentiality

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by or disclosure to unauthorized ones.

Data impact?

None

Low

High

If the data impacted is sensitive in nature or includes PII, choose High

Does this impact scale to the rest of the service?

Yes

For example, in the case of Shopify, could this vector be reasonably scaled to impact any arbitrary Store or does the vector limit the impact to a subset of Stores?

Vector's value:

None

Add any additional notes about the vector:

Integrity

This metric measures the impact to the integrity of a system or data due to a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information resources.

Data impact?

None

Low

High

If the data impacted is sensitive in nature or includes PII, choose High

Does this impact scale to the rest of the service?

Yes

For example, in the case of Shopify, could this vector be reasonably scaled to impact any arbitrary Store or does the vector limit the impact to a subset of Stores?

Vector's value:

None

Add any additional notes about the vector:

Availability

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. It refers to the loss of availability of the impacted component itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted component.

Level of disruption to network service?

None

Degraded service and/or some downtime

Complete disruption and significant downtime

How much of the service is impacted?

Some

Most or All

Merchants: How many merchants? Shopify: How many services? If any are core, choose Most or All

Vector's value:

None

Add any additional notes about the vector:

Environment

Refer to the Scope page for details on which assets are considered Core and which assets are considered Non-Core.

Core

Non-Core

Score

Copy Report

Score

0.0

Bounty

$ 0

*Not scalable to most or all of Shopify

Severity

None

Vector String

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N