Shopify
Leading e-commerce platform enabling millions of merchants to build online stores, process payments, and manage inventory.
https://shopify.comMax Reward
$50,000
Total Paid
$5,200,000
Resolved
423
Avg Response
2 days
In-Scope Assets
shopify.com
Admin dashboard, storefront, and checkout
Shopify API
REST and GraphQL APIs for merchants and apps
Shopify Payments
Payment processing and fraud detection
Shopify POS
Point-of-sale system and hardware integrations
Out of Scope
- ✕ Third-party themes and apps
- ✕ Merchant-generated content
- ✕ Rate limiting on public pages
Severity Levels & Rewards
RCE, authentication bypass, privilege escalation, fund extraction
Stored XSS, CSRF with impact, API abuse, data manipulation
Reflected XSS, data leakage, logic flaws, information disclosure
Verbose errors, minor config issues, low-impact info disclosure
Active Bounties (2)
| ID | Title | Severity | Status | Reward | Submissions |
|---|---|---|---|---|---|
| SHOP-001 | Checkout price manipulation via discount code race condition | Critical | Open | $15,000–$50,000 | 0 |
| SHOP-002 | Stored XSS in merchant admin theme editor | High | Resolved | $5,000–$10,000 | 3 |
Rules of Engagement
• Do not access, modify, or delete data belonging to other users.
• Do not perform denial-of-service attacks or automated scanning at high volume.
• Report vulnerabilities promptly and provide sufficient detail to reproduce.
• Allow reasonable time for fix before public disclosure (90 days).
• Safe harbor: We will not pursue legal action against researchers acting in good faith within these rules.