[{"id":3769550,"new_policy":"# Shopify's Bug Bounty Program\n\nWe reward security researchers for finding and reporting vulnerabilities that help keep our platform secure. Our bug bounty program offers rewards up to $200,000 and bonuses for outstanding contributions.\n\nHere’s what you can expect:\n- Quick review and triage of reports with high-quality evaluations.\n- Full transparency on report decisions, including adding you to duplicate reports on HackerOne.\n- Prompt bounty awards after triage, except in rare cases.\n\nWe value all contributions, from minor issues to critical vulnerabilities, as they help enhance Shopify’s security.\n\n## Early Access Program\n\nA special invite-only program where select researchers get early access to Shopify features before they're widely released. This exclusive opportunity lets you discover vulnerabilities in our newest innovations while earning bounties.\n\nCriteria for invitation:\n\n- Submitted 4 or more reports over the past 2 years.\n- 50% or higher rate of success on those reports\n\nPlease note, invitations are extended at Shopify's discretion based on quality contributions to our security ecosystem.\n\n\n## Getting started\n1. Review and understand the [participation rules](https://bugbounty.shopify.com/criteria?q=rules), the list of [assets in scope](https://bugbounty.shopify.com/criteria?q=scope), and the list of [ineligible issues](https://bugbounty.shopify.com/criteria?q=ineligible-issues).\n1. Familiarize yourself with the `@wearehackerone.com` email address which must be used when creating a Shopify account. This alias is provided by HackerOne and you can learn more about it in their [documentation](https://docs.hackerone.com/en/articles/8404308-hacker-email-alias).\n1. Create a Shopify account using [this link](https://partners.shopify.com/signup/bugbounty) and follow the registration process.\n1. You must test only against stores you have created. Testing against live merchants is prohibited and can result in reports being closed as `Not Applicable` and/or your disqualification from the Shopify bug bounty program.\n1. Consult [Shopify Help Center](https://help.shopify.com/) for further information on how to build a store and to discover platform features. For newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n\nIf you need further clarification of the rules or scope of our bug bounty program, please don't hesitate to contact us at bugbounty@shopify.com.\n\n## Eligibility\nThe scope of the bug bounty program is limited to the assets listed on the scope page for this program. Valid vulnerabilities on any asset not explicitly listed in scope may be accepted but are ineligible for a reward. As a general rule:\n- Reports which do not demonstrate relevant security impact to Shopify or our Merchants by providing a functional proof of concept will be closed as N/A.\n- We reward researchers based on the scenario that yields the highest overall severity score , provided that the scenario is plausible and directly linked to the root issue. In cases where multiple reports share the same root cause, these will be closed as Duplicate.\n- We will only award and triage reports when the root cause is under our control.\n- IDOR eligibility will be evaluated considering the identifier predictability, the data accessed and overall impact on the service.\n- Reports of a vulnerability disclosing sensitive PII will be evaluated on a case by case basis, considering the overall impact on Shopify's merchant data.\n\n## Typical Bounty Amounts\nBounty amounts will be determined using [Shopify's Bug Bounty Calculator](https://bugbounty.shopify.com/calculator). In most cases, we will only triage and reward vulnerabilities with a score greater than 0. A score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a score of  0 when we see a high potential for future security impact and make a change as a result of the report. Bonuses are determined as a percentage (10% of what the bounty is estimated at for an exploitable issue), with a minimum of $500 and a maximum of $5,000.\n\nWhile our bounty table states the minimum bounty per severity, scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for Confidentiality, Integrity, and Availability Requirements.\n\n## Leaked Credentials\nIn alignment with HackerOne’s guidance and terms, Shopify accepts reports of leaked credentials, including Authentication material for Shopify APIs and/or Shopify infrastructure. Hackers should submit the leaked credentials to the program and should not test their validity beyond authenticating and then immediately deauthenticating - without exercising any functionality. Likewise, Hackers should not share these credentials beyond their report to the program.\n\n## Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- **Eligibility for Rewards**\n  - Only test against stores you created using your HackerOne `YOURHANDLE @ wearehackerone.com` registered email.\n  - Do not attempt to gain access to, or interact with stores you didn’t create.\n  - Follow all reporting rules.\n  - Do not disclose issues publicly before resolution or without permission.\n- **Program Modifications**\n  - Shopify reserves the right to modify rules or invalidate submissions at any time.\n  - Shopify may cancel the bug bounty program without notice at any time.\n- **Contact Restrictions**\n  - Do not contact Shopify Support as part of your testing or to ask about the bounty program, to pre-validate reports nor to ask for updates. Violating this will disqualify you from receiving a reward and may result in a program ban.\n- **Employment Status**\n  - You are not an employee of Shopify\n  - Shopify employees must report bugs to the internal bug bounty program.\n- **Vulnerability Reporting**\n  - You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n\nFailure to follow any of the foregoing rules will disqualify you from participating in this program.\n- **General Rules**\n  - Reports must demonstrate relevant CVSS impact to Shopify, Shop users, our partners or our merchants with a functional proof of concept. Reports without this will be closed as N/A.\n  - Rewards are based on the highest CVSS score scenario that is plausible and linked to the root issue. Multiple reports with the same root cause will be closed as Duplicate.\n  - You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n  - By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n  - All content submitted by you to Shopify under this program is licensed under the MIT License.\n- **Notes**\n  - This program is not open to individuals who are on sanctions lists, or who are in countries on sanctions lists.\n  - You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship.\n  - Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own.\n  - There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2026-02-11T15:53:33.563Z"},{"id":3756029,"new_policy":"# Shopify's Bug Bounty Program\n\nWe reward security researchers for finding and reporting vulnerabilities that help keep our platform secure. Our bug bounty program offers rewards up to $200,000 and bonuses for outstanding contributions.\n\nHere’s what you can expect:\n- Quick review and triage of reports with high-quality evaluations.\n- Full transparency on report decisions, including adding you to duplicate reports on HackerOne.\n- Prompt bounty awards after triage, except in rare cases.\n\nWe value all contributions, from minor issues to critical vulnerabilities, as they help enhance Shopify’s security.\n\n## Early Access Program\n\nA special invite-only program where select researchers get early access to Shopify features before they're widely released. This exclusive opportunity lets you discover vulnerabilities in our newest innovations while earning bounties.\n\nCriteria for invitation:\n\n- Submitted 4 or more reports over the past 2 years.\n- 50% or higher rate of success on those reports\n\nPlease note, invitations are extended at Shopify's discretion based on quality contributions to our security ecosystem.\n\n\n## Getting started\n1. Review and understand the [participation rules](https://bugbounty.shopify.com/criteria?q=rules), the list of [assets in scope](https://bugbounty.shopify.com/criteria?q=scope), and the list of [ineligible issues](https://bugbounty.shopify.com/criteria?q=ineligible-issues).\n1. Familiarize yourself with the `@wearehackerone.com` email address which must be used when creating a Shopify account. This alias is provided by HackerOne and you can learn more about it in their [documentation](https://docs.hackerone.com/en/articles/8404308-hacker-email-alias).\n1. Create a Shopify account using [this link](https://partners.shopify.com/signup/bugbounty) and follow the registration process.\n1. You must test only against stores you have created. Testing against live merchants is prohibited and can result in reports being closed as `Not Applicable` and/or your disqualification from the Shopify bug bounty program.\n1. Consult [Shopify Help Center](https://help.shopify.com/) for further information on how to build a store and to discover platform features. For newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n\nIf you need further clarification of the rules or scope of our bug bounty program, please don't hesitate to contact us at bugbounty@shopify.com.\n\n## Eligibility\nThe scope of the bug bounty program is limited to the assets listed on the scope page for this program. Valid vulnerabilities on any asset not explicitly listed in scope may be accepted but are ineligible for a reward. As a general rule:\n- Reports which do not demonstrate relevant security impact to Shopify or our Merchants by providing a functional proof of concept will be closed as N/A.\n- We reward researchers based on the scenario that yields the highest overall severity score , provided that the scenario is plausible and directly linked to the root issue. In cases where multiple reports share the same root cause, these will be closed as Duplicate.\n- We will only award and triage reports when the root cause is under our control.\n- IDOR eligibility will be evaluated considering the identifier predictability, the data accessed and overall impact on the service.\n- Reports of a vulnerability disclosing sensitive PII will be evaluated on a case by case basis, considering the overall impact on Shopify's merchant data.\n\n## Typical Bounty Amounts\nBounty amounts will be determined using [Shopify's Bug Bounty Calculator](https://bugbounty.shopify.com/calculator). In most cases, we will only triage and reward vulnerabilities with a score greater than 0. A score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a score of  0 when we see a high potential for future security impact and make a change as a result of the report. Bonuses are determined as a percentage (10% of what the bounty is estimated at for an exploitable issue), with a minimum of $500 and a maximum of $5,000.\n\nWhile our bounty table states the minimum bounty per severity, scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for Confidentiality, Integrity, and Availability Requirements. In addition to the score, the bounty is lowered if it is determined that the reported issue is not scalable to impact most or all Shopify as indicated in our calculator.\n\n## Leaked Credentials\nIn alignment with HackerOne’s guidance and terms, Shopify accepts reports of leaked credentials, including Authentication material for Shopify APIs and/or Shopify infrastructure. Hackers should submit the leaked credentials to the program and should not test their validity beyond authenticating and then immediately deauthenticating - without exercising any functionality. Likewise, Hackers should not share these credentials beyond their report to the program.\n\n## Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- **Eligibility for Rewards**\n  - Only test against stores you created using your HackerOne `YOURHANDLE @ wearehackerone.com` registered email.\n  - Do not attempt to gain access to, or interact with stores you didn’t create.\n  - Follow all reporting rules.\n  - Do not disclose issues publicly before resolution or without permission.\n- **Program Modifications**\n  - Shopify reserves the right to modify rules or invalidate submissions at any time.\n  - Shopify may cancel the bug bounty program without notice at any time.\n- **Contact Restrictions**\n  - Do not contact Shopify Support as part of your testing or to ask about the bounty program, to pre-validate reports nor to ask for updates. Violating this will disqualify you from receiving a reward and may result in a program ban.\n- **Employment Status**\n  - You are not an employee of Shopify\n  - Shopify employees must report bugs to the internal bug bounty program.\n- **Vulnerability Reporting**\n  - You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n\nFailure to follow any of the foregoing rules will disqualify you from participating in this program.\n- **General Rules**\n  - Reports must demonstrate relevant CVSS impact to Shopify, Shop users, our partners or our merchants with a functional proof of concept. Reports without this will be closed as N/A.\n  - Rewards are based on the highest CVSS score scenario that is plausible and linked to the root issue. Multiple reports with the same root cause will be closed as Duplicate.\n  - You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n  - By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n  - All content submitted by you to Shopify under this program is licensed under the MIT License.\n- **Notes**\n  - This program is not open to individuals who are on sanctions lists, or who are in countries on sanctions lists.\n  - You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship.\n  - Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own.\n  - There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2025-05-21T14:22:48.455Z"},{"id":3751959,"new_policy":"# Shopify's Bug Bounty Program\n\nWe reward security researchers for finding and reporting vulnerabilities that help keep our platform secure. Our bug bounty program offers rewards up to $200,000 and bonuses for outstanding contributions.\n\nHere’s what you can expect:\n- Quick review and triage of reports with high-quality evaluations.\n- Full transparency on report decisions, including adding you to duplicate reports on HackerOne.\n- Prompt bounty awards after triage, except in rare cases.\n\nWe value all contributions, from minor issues to critical vulnerabilities, as they help enhance Shopify’s security.\n\n## Early Access Program\n\nA special invite-only program where select researchers get early access to Shopify features before they're widely released. This exclusive opportunity lets you discover vulnerabilities in our newest innovations while earning bounties.\n\nCriteria for invitation:\n\n- Submitted 4 or more reports over the past 2 years.\n- 50% or higher rate of success on those reports\n\nPlease note, invitations are extended at Shopify's discretion based on quality contributions to our security ecosystem.\n\n\n## Getting started\n1. Review and understand the [participation rules](https://bugbounty.shopify.com/criteria?q=rules), the list of [assets in scope](https://bugbounty.shopify.com/criteria?q=scope), and the list of [ineligible issues](https://bugbounty.shopify.com/criteria?q=ineligible-issues).\n1. Familiarize yourself with the `@wearehackerone.com` email address which must be used when creating a Shopify account. This alias is provided by HackerOne and you can learn more about it in their [documentation](https://docs.hackerone.com/en/articles/8404308-hacker-email-alias).\n1. Create a Shopify account using [this link](https://partners.shopify.com/signup/bugbounty) and follow the registration process.\n1. You must test only against stores you have created. Testing against live merchants is prohibited and can result in reports being closed as `Not Applicable` and/or your disqualification from the Shopify bug bounty program.\n1. Consult [Shopify Help Center](https://help.shopify.com/) for further information on how to build a store and to discover platform features. For newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n\nIf you need further clarification of the rules or scope of our bug bounty program, please don't hesitate to contact us at bugbounty@shopify.com.\n\n## Eligibility\nThe scope of the bug bounty program is limited to the assets listed on the scope page for this program. Valid vulnerabilities on any asset not explicitly listed in scope may be accepted but are ineligible for a reward. As a general rule:\n- Reports which do not demonstrate relevant security impact to Shopify or our Merchants by providing a functional proof of concept will be closed as N/A.\n- We reward researchers based on the scenario that yields the highest overall severity score , provided that the scenario is plausible and directly linked to the root issue. In cases where multiple reports share the same root cause, these will be closed as Duplicate.\n- We will only award and triage reports when the root cause is under our control.\n- IDOR eligibility will be evaluated considering the identifier predictability, the data accessed and overall impact on the service.\n- Reports of a vulnerability disclosing sensitive PII will be evaluated on a case by case basis, considering the overall impact on Shopify's merchant data.\n\n## Typical Bounty Amounts\nBounty amounts will be determined using [Shopify's Bug Bounty Calculator](https://bugbounty.shopify.com/calculator). In most cases, we will only triage and reward vulnerabilities with a score greater than 0. A score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a score of  0 when we see a high potential for future security impact and make a change as a result of the report. Bonuses are determined as a percentage (10% of what the bounty is estimated at for an exploitable issue), with a minimum of $500 and a maximum of $5,000.\n\nWhile our bounty table states the minimum bounty per severity, scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for Confidentiality, Integrity, and Availability Requirements. In addition to the score, the bounty is lowered if it is determined that the reported issue is not scalable to impact most or all Shopify as indicated in our calculator.\n\n## Leaked Credentials\nIn alignment with HackerOne’s guidance and terms, Shopify accepts reports of leaked credentials, including Authentication material for Shopify APIs and/or Shopify infrastructure. Hackers should submit the leaked credentials to the program and should not test their validity beyond authenticating and then immediately deauthenticating - without exercising any functionality. Likewise, Hackers should not share these credentials beyond their report to the program.\n\n## Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- **Eligibility for Rewards**\n  - Only test against stores you created using your HackerOne `YOURHANDLE @ wearehackerone.com` registered email.\n  - Do not attempt to gain access to, or interact with stores you didn’t create.\n  - Follow all reporting rules.\n  - Do not disclose issues publicly before resolution or without permission.\n- **Program Modifications**\n  - Shopify reserves the right to modify rules or invalidate submissions at any time.\n  - Shopify may cancel the bug bounty program without notice at any time.\n- **Contact Restrictions**\n  - Do not contact Shopify Support as part of your testing or to ask about the bounty program, to pre-validate reports nor to ask for updates. Violating this will disqualify you from receiving a reward and may result in a program ban.\n- **Employment Status**\n  - You are not an employee of Shopify\n  - Shopify employees must report bugs to the internal bug bounty program.\n- **Vulnerability Reporting**\n  - You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n\nFailure to follow any of the foregoing rules will disqualify you from participating in this program.\n- **General Rules**\n  - Reports must demonstrate relevant CVSS impact to Shopify, Shop users, our partners or our merchants with a functional proof of concept. Reports without this will be closed as N/A.\n  - Rewards are based on the highest CVSS score scenario that is plausible and linked to the root issue. Multiple reports with the same root cause will be closed as Duplicate.\n  - You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n  - By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n  - All content submitted by you to Shopify under this program is licensed under the MIT License.\n- **Notes**\n  - This program is not open to individuals who are on sanctions lists, or who are in countries on sanctions lists.\n  - You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship.\n  - Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own.\n  - There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-03-18T18:09:48.444Z"},{"id":3748936,"new_policy":"# Shopify's Bug Bounty Program\n\nWe reward security researchers for finding and reporting vulnerabilities that help keep our platform secure. Our bug bounty program offers rewards up to $200,000 and bonuses for outstanding contributions.\n\nHere’s what you can expect:\n- Quick review and triage of reports with high-quality evaluations.\n- Full transparency on report decisions, including adding you to duplicate reports on HackerOne.\n- Prompt bounty awards after triage, except in rare cases.\n\nWe value all contributions, from minor issues to critical vulnerabilities, as they help enhance Shopify’s security.\n\n## Getting started\n1. Review and understand the [participation rules](https://bugbounty.shopify.com/criteria?q=rules), the list of [assets in scope](https://bugbounty.shopify.com/criteria?q=scope), and the list of [ineligible issues](https://bugbounty.shopify.com/criteria?q=ineligible-issues).\n1. Familiarize yourself with the `@wearehackerone.com` email address which must be used when creating a Shopify account. This alias is provided by HackerOne and you can learn more about it in their [documentation](https://docs.hackerone.com/en/articles/8404308-hacker-email-alias).\n1. Create a Shopify account using [this link](https://partners.shopify.com/signup/bugbounty) and follow the registration process.\n1. You must test only against stores you have created. Testing against live merchants is prohibited and can result in reports being closed as `Not Applicable` and/or your disqualification from the Shopify bug bounty program.\n1. Consult [Shopify Help Center](https://help.shopify.com/) for further information on how to build a store and to discover platform features. For newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n\nIf you need further clarification of the rules or scope of our bug bounty program, please don't hesitate to contact us at bugbounty@shopify.com.\n\n## Eligibility\nThe scope of the bug bounty program is limited to the assets listed on the scope page for this program. Valid vulnerabilities on any asset not explicitly listed in scope may be accepted but are ineligible for a reward. As a general rule:\n- Reports which do not demonstrate relevant security impact to Shopify or our Merchants by providing a functional proof of concept will be closed as N/A.\n- We reward researchers based on the scenario that yields the highest overall severity score , provided that the scenario is plausible and directly linked to the root issue. In cases where multiple reports share the same root cause, these will be closed as Duplicate.\n- We will only award and triage reports when the root cause is under our control.\n- IDOR eligibility will be evaluated considering the identifier predictability, the data accessed and overall impact on the service.\n- Reports of a vulnerability disclosing sensitive PII will be evaluated on a case by case basis, considering the overall impact on Shopify's merchant data.\n\n## Typical Bounty Amounts\nBounty amounts will be determined using [Shopify's Bug Bounty Calculator](https://bugbounty.shopify.com/calculator). In most cases, we will only triage and reward vulnerabilities with a score greater than 0. A score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a score of  0 when we see a high potential for future security impact and make a change as a result of the report. Bonuses are determined as a percentage (10% of what the bounty is estimated at for an exploitable issue), with a minimum of $500 and a maximum of $5,000.\n\nWhile our bounty table states the minimum bounty per severity, scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for Confidentiality, Integrity, and Availability Requirements. In addition to the score, the bounty is lowered if it is determined that the reported issue is not scalable to impact most or all Shopify as indicated in our calculator.\n\n## Leaked Credentials\nIn alignment with HackerOne’s guidance and terms, Shopify accepts reports of leaked credentials, including Authentication material for Shopify APIs and/or Shopify infrastructure. Hackers should submit the leaked credentials to the program and should not test their validity beyond authenticating and then immediately deauthenticating - without exercising any functionality. Likewise, Hackers should not share these credentials beyond their report to the program.\n\n## Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- **Eligibility for Rewards**\n  - Only test against stores you created using your HackerOne `YOURHANDLE @ wearehackerone.com` registered email.\n  - Do not attempt to gain access to, or interact with stores you didn’t create.\n  - Follow all reporting rules.\n  - Do not disclose issues publicly before resolution or without permission.\n- **Program Modifications**\n  - Shopify reserves the right to modify rules or invalidate submissions at any time.\n  - Shopify may cancel the bug bounty program without notice at any time.\n- **Contact Restrictions**\n  - Do not contact Shopify Support as part of your testing or to ask about the bounty program, to pre-validate reports nor to ask for updates. Violating this will disqualify you from receiving a reward and may result in a program ban.\n- **Employment Status**\n  - You are not an employee of Shopify\n  - Shopify employees must report bugs to the internal bug bounty program.\n- **Vulnerability Reporting**\n  - You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n\nFailure to follow any of the foregoing rules will disqualify you from participating in this program.\n- **General Rules**\n  - Reports must demonstrate relevant CVSS impact to Shopify, Shop users, our partners or our merchants with a functional proof of concept. Reports without this will be closed as N/A.\n  - Rewards are based on the highest CVSS score scenario that is plausible and linked to the root issue. Multiple reports with the same root cause will be closed as Duplicate.\n  - You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n  - By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n  - All content submitted by you to Shopify under this program is licensed under the MIT License.\n- **Notes**\n  - This program is not open to individuals who are on sanctions lists, or who are in countries on sanctions lists.\n  - You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship.\n  - Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own.\n  - There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-01-28T14:37:35.222Z"},{"id":3748515,"new_policy":"# TL;DR\nAt Shopify, we take merchant trust and safety very seriously. Our maximum bounty of $200,000 reflects that.\n\nTo participate, you must create an account using a `@wearehackerone.com` email address and only test against accounts you create. Before reporting any issues, please review our list of known issues. We encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\n\nWe pay bounties based on CVSS scores using our CVSS Bounty Calculator (https://shopify.github.io/appsec/cvss_calculator/), and we usually award bounties within a week of triage.\n\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n\n\nIf you need further clarification of the rules or scope of our bug bounty program, please don't hesitate to contact us at bugbounty@shopify.com.\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe value all security researchers and expect mutual respect between our team and participants. We strive to:\n- Reply to all reports within one business day and triage within two business days (if applicable).\n- Be as transparent as possible, answering all inquiries about our report decisions and adding hackers to duplicate HackerOne reports.\n- Award bounties within a week of triage (excluding extenuating circumstances).\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types`, or lacks evidence of a vulnerability.\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. All Shopify developed applications are in scope (https://apps.shopify.com/partners/shopify) for this program.\n\nYou should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a response from the developer within one week. If you do so, please include the following information in your report:\n\n- The name of the app\n- The name of the developer\n- The URL of the app\n- The vulnerability you are reporting\n- The steps to reproduce the vulnerability\n- The impact of the vulnerability\n- The severity of the vulnerability\n\nPlease note that Shopify will not pay a bounty for vulnerabilities in third party apps and the report will be closed as \"Informative\".\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed on [the scope page for this program](https://hackerone.com/shopify/policy_scopes). **Valid vulnerabilities on any domain not explicitly listed in scope may be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\nAs a general rule:\n\n- Reports which do not demonstrate relevant [CVSS](https://shopify.github.io/appsec/cvss_calculator/) impact to Shopify or our Merchants by providing a functional proof of concept will be closed as N/A.\n- We reward researchers based on the scenario that yields the highest overall CVSS score, provided that the scenario is plausible and directly linked to the root issue. In cases where multiple reports share the same root cause, these will be closed as Duplicate.\n- We will only award and triage reports when the root cause is under our control.\n- IDOR eligibility will be evaluated considering the identifier predictability, the data accessed and overall impact on the service.\n- Reports of a vulnerability disclosing sensitive PII will be evaluated on a case by case basis, considering the overall impact on Shopify's merchant data.\n\n# Typical Bounty Amounts\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact and make a change as a result of the report. Bonuses are determined as a percentage (10% of what the bounty is estimated at for an exploitable issue), with a minimum of $500 and a maximum of $5,000.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity`, and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com, admin.shopify.com, shop.app, server.shop.app, partners.shopify.com and *.shopifycs.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, and our mobile applications.\n\n# Denial of Service\nIn our commitment to maintaining a secure environment, we value your assistance in identifying Denial of Service (DoS) vulnerabilities that meet our specific criteria. Generally:\n- We only consider DoS issues that can be triggered by a single user with a single request.\n- We only consider DoS issues that cause a significant disruption to the **entire* service, not just an individual shop or instance\n- We explicitly do not accept any kind of DDOS (Distributed Denial of Service) issues. \n- Slow requests that eventually complete successfully without rendering the service **unavailable to others** do **not** constitute an availability impact for our program.\n\nTo test DoS issues please:\n- Make every effort to avoid an actual DoS on our services.\n- Start small.\n- Increase efforts incrementally.\n- As soon as you start to see a degradation in a service you are testing, please stop testing and submit a report.\n\nIf you think you have found an eligible DoS issue, please include the following information in your report:\n- The URL of the page that is vulnerable to DoS\n- The X-Request-ID of the HTTP response that causes the DoS\n- The HTTP request that causes the DoS\n- The HTTP response that is returned by the server after the DoS has been triggered\n- The time it takes for the DoS to be triggered\n\n# Leaked Credentials\nIn alignment with HackerOne’s guidance and terms, Shopify accepts reports of leaked credentials, including Authentication material for Shopify APIs and/or Shopify infrastructure.  Hackers should submit the leaked credentials to the program and should not test their validity beyond authenticating and then immediately deauthenticating - without exercising any functionality.  Likewise, Hackers should not share these credentials beyond their report to the program. \n\n# Known issues\n\nThe following issues or behaviours are by design or otherwise known to Shopify. Submitting a report that falls into this category will result in the report being closed as **Not Applicable**.\n\n**XSS - At Shopify we allow merchants to use HTML in their store descriptions, product descriptions, and other fields. We do not consider this a vulnerability.**\n\nThe following XSS (Cross-Site Scripting) types are explicitly out of scope for this program:\n  - **XSS Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n  - **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n  -  **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n  - **XSS - Shopify Checkout** - Any issue where a store staff member is able to insert javascript in the checkout area of their own store (this includes *.shopifypreview.com).\n  - **XSS - Set Header** -Any issue that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n  - **XSS - Inspect Element/Console** - Any issue that requires the use of the browser's developer tools to execute javascript.\n  - **XSS - Self-XSS** - Any issue without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n\n**CDN - At Shopify we encourage merchants to use our CDN (static.shopify.com, cdn.shopify.com and other storage domains) to host any files they want. We do not consider this a vulnerability because this content runs in a separate context and cannot directly impact our platform.**\n\nThe following CDN (Content Distribution Network) types are explicitly out of scope for this program and will be closed as `Not Applicable`:\n  - **CDN - Arbitrary file upload** - Any issue where a store staff member is able to upload arbitrary files to our CDN.\n  - **CDN - Stored XSS** - Any issue where a store staff member is able to upload arbitrary files to our CDN and execute javascript in the context of a CDN domain. (static.shopify.com and cdn.shopify.com).\n  - **CDN - Sensitive data disclosure** - All files on the Content Delivery Network (cdn.shopify.com) are public by design.\n\n\nThe following CSRF (Cross-Site Request Forgery) types are explicitly out of scope:\n  - CSRF access to modify cart\n  - CSRF for Login or Logout (unless it is chained together with another vulnerability to demonstrate impact)\n\n**Shopify hosted stores - There are a number of commonly reported false positives in Shopify hosted (*.myshopify.com) stores that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n- **Staff access to**:\n  - /admin/settings/shop.json\n  - /admin/settings/account.json\n  - /admin/settings/users.json\n  - /admin/settings/locations.json\n- **Intended Public files**:\n  - payments/config.json\n- **Password reset tokens don’t expire when changing email address**\n- **Email address doesn't require verification on signup**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **User or store name enumeration**\n- **Insecure “Opening Soon” password**\n- **User permission issues in Stocky**\n- **Template sanitization bypasses in Order Printer**\n\n\n**Mobile / PoS - There are a number of commonly reported false positives in the Shopify mobile applications that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n  - **Physical access to the device** Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n  - **Mobile application biometrics bypass**\n  - **Lack of mobile binary protection or SSL pinning**\n  - **Lack of mobile application encryption**\n  - **Issues that can only be exploited on an emulated device**\n  - **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n\n# Potential Ineligible vulnerability types\n\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n- **Open Redirect** - Any issue that allows a user to be redirected to an arbitrary URL without user interaction, unless it is chained together with another vulnerability to demonstrate impact.\n- **HTML Injection in emails** - Any issue that allows a user to inject arbitrary HTML into emails, unless it is chained together with another **eligible** vulnerability to demonstrate impact.\n- **SSRF** - There are several places where a SSRF is technically possible, however, a simple HTTP/DNS interaction is not considered a vulnerability by itself. In most cases, these issues will be closed as **Not Applicable**. \n- **Race Conditions** - If you've encountered a race condition, please ensure that it exploitable and would gain an attacker access to sensitive information. The following race conditions would **not** be eligible:\n  - Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- **Cross-origin resource sharing CORS** - Any issue reporting misconfigured CORS policies that doesn't demonstrate relevant security impact, or present on endpoints that don't expose any sensitive data, like Monorail produce endpoints.\n- **HTML Injection** - Any issue reporting HTML being rendered without demonstrating other security impact, for example code execution or data exfiltration.\n- **GraphQL alias or directive overloading issues** - Any reported issue related to GraphQL alias or directive overloading will be assessed for its potential impact on service availability before it's found eligible.\n- **Bypassing B2B customer restrictions to access storefronts, catalogs or pricing intended only for B2B customers**\n\n# Ineligible vulnerability types\n\nThe following vulnerability types are explicitly out of scope for this program and will be closed as `Not Applicable` immediately:\n\n- **Social Engineering** - Any issue that requires social engineering to be exploited, such as phishing, or impersonation of a Shopify employee. This includes contacting the Shopify Support.\n- **Spam / Flooding** - E-Mail flooding, SMS flooding, or any other type of flooding.\n- **Vulnerability Scanner False Positives** - Any issue that is reported by a vulnerability scanner, but is not exploitable by a human.\n- **Enabled GraphQL introspection query** - We highly recommend researchers to utilize it as a valuable resource.\n- Insecure cookie handling for account identifying cookies.\n- Tab nabbing.\n- Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing).\n- CSV / formula injection.\n- Hyperlink injection.\n- Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.\n- Distributed Denial of Service.\n- Content spoofing.\n- Disclosure of server or software version numbers.\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim.\n- Reports related to permitted password strength.\n- Theoretical sub-domain takeovers with no supporting evidence.\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches).\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers.\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit).\n- Reports related to CVV validation during payment. CVV validation rules may differ across markets, and Shopify implements other controls to protect merchants against fraud based attacks.\n- Reports indicating a Staff, Partner or Organization invite sent to one email can be accepted by a different email.\n- Reports related to the possibility of a Partners account with `Manage Members` permissions to change their own permissions.\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n\n## Staff Member Permissions\nShopify has a rich set of granular permissions that we offer in the Shopify admin and the Partners Dashboard. These are documented [here](https://help.shopify.com/en/manual/your-account/staff-accounts/staff-permissions/staff-permissions-descriptions).\n\nThe following are the categories which we consider to have clear CVSS relevance with regards to staff member permissions. If the observed behavior does not fit into these categories, please carefully consider the practical impact of the finding prior to opening a report as it risks being closed as N/A.\n\n- Demonstrates the ability for a staff member to escalate their privileges to one of our _Sensitive Permissions_ (Manage Settings, Manage Payment Settings and Themes).\n  - Valid: Staff member with `orders` permission can perform an action that is normally scoped to `Manage Settings`.\n  - Invalid: Staff member with `Manage Settings` permission can perform an action that is not specifically listed in the public documentation description.\n- Demonstrates a direct financial impact on the Shop (The request made must directly result in the impact).\n  - Valid: Lowering the price of an existing product available on sales channels without the appropriate permission.\n  - Invalid: Adding additional variants of a product at a lower price but without making them available on sales channels.\n- Demonstrates impact on Buyer PII that the staff member isn't already authorized for.\n  - Valid: Staff members having access to read or edit Buyer PII when they aren't authorized to do so.\n  - Invalid: Staff members with the `orders` permission being able read or write basic buyer information.\n\nFor staff permission issues which are not relevant to our bugbounty program, feel free to bring them to the attention of our support team by following the instructions outlined [here](https://github.com/Shopify/bugbounty-resources/blob/master/how_to_report_functional_issues.md).\n\n## Subdomain Takeovers\nReports related to dangling domain records will be evaluated on a case-by-case basis for bounty taking into account several factors, including:\n- The likelihood of a record to be successfully taken over (i.e. can the specific IP that the record points to be readily requisitioned from an owner).\n- The likelihood that traffic would be sent to the specific fully-qualified domain name (FQDN) as part of normal operations.\n- The purpose of the domain if it can be inferred from the record (i.e. test app).\n\nMost of these reports will result in CVSS 0 and, therefore, will be ineligible for a bounty. If you believe you have found a dangling domain record that is likely to be taken over and is likely to receive traffic, please include methodology and evidence in your report.\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We will disqualify you from receiving a reward, and may disqualify you from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-01-21T18:28:00.110Z"},{"id":3740638,"new_policy":"# TL;DR\nAt Shopify, we take merchant trust and safety very seriously. Our maximum bounty of $200,000 reflects that.\n\nTo participate, you must create an account using a `@wearehackerone.com` email address and only test against accounts you create. Before reporting any issues, please review our list of known issues. We encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\n\nWe pay bounties based on CVSS scores using our CVSS Bounty Calculator (https://shopify.github.io/appsec/cvss_calculator/), and we usually award bounties within a week of triage.\n\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n\n\nIf you need further clarification of the rules or scope of our bug bounty program, please don't hesitate to contact us at bugbounty@shopify.com.\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe value all security researchers and expect mutual respect between our team and participants. We strive to:\n- Reply to all reports within one business day and triage within two business days (if applicable).\n- Be as transparent as possible, answering all inquiries about our report decisions and adding hackers to duplicate HackerOne reports.\n- Award bounties within a week of triage (excluding extenuating circumstances).\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types`, or lacks evidence of a vulnerability.\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. All Shopify developed applications are in scope (https://apps.shopify.com/partners/shopify) for this program.\n\nYou should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a response from the developer within one week. If you do so, please include the following information in your report:\n\n- The name of the app\n- The name of the developer\n- The URL of the app\n- The vulnerability you are reporting\n- The steps to reproduce the vulnerability\n- The impact of the vulnerability\n- The severity of the vulnerability\n\nPlease note that Shopify will not pay a bounty for vulnerabilities in third party apps and the report will be closed as \"Informative\".\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed on [the scope page for this program](https://hackerone.com/shopify/policy_scopes). **Valid vulnerabilities on any domain not explicitly listed in scope may be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\nAs a general rule:\n\n- Reports which do not demonstrate relevant [CVSS](https://shopify.github.io/appsec/cvss_calculator/) impact to Shopify or our Merchants by providing a functional proof of concept will be closed as N/A.\n- We reward researchers based on the scenario that yields the highest overall CVSS score, provided that the scenario is plausible and directly linked to the root issue. In cases where multiple reports share the same root cause, these will be closed as Duplicate.\n- We will only award and triage reports when the root cause is under our control.\n- IDOR eligibility will be evaluated considering the identifier predictability, the data accessed and overall impact on the service.\n- Reports of a vulnerability disclosing sensitive PII will be evaluated on a case by case basis, considering the overall impact on Shopify's merchant data.\n\n# Typical Bounty Amounts\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact and make a change as a result of the report. Bonuses are determined as a percentage (10% of what the bounty is estimated at for an exploitable issue), with a minimum of $500 and a maximum of $5,000.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity`, and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com, admin.shopify.com, shop.app, server.shop.app, partners.shopify.com and *.shopifycs.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, and our mobile applications.\n\n# Denial of Service\nIn our commitment to maintaining a secure environment, we value your assistance in identifying Denial of Service (DoS) vulnerabilities that meet our specific criteria. Generally:\n- We only consider DoS issues that can be triggered by a single user with a single request.\n- We only consider DoS issues that cause a significant disruption to the **entire* service, not just an individual shop or instance\n- We explicitly do not accept any kind of DDOS (Distributed Denial of Service) issues. \n- Slow requests that eventually complete successfully without rendering the service **unavailable to others** do **not** constitute an availability impact for our program.\n\nTo test DoS issues please:\n- Make every effort to avoid an actual DoS on our services.\n- Start small.\n- Increase efforts incrementally.\n- As soon as you start to see a degradation in a service you are testing, please stop testing and submit a report.\n\nIf you think you have found an eligible DoS issue, please include the following information in your report:\n- The URL of the page that is vulnerable to DoS\n- The X-Request-ID of the HTTP response that causes the DoS\n- The HTTP request that causes the DoS\n- The HTTP response that is returned by the server after the DoS has been triggered\n- The time it takes for the DoS to be triggered\n\n# Leaked Credentials\nIn alignment with HackerOne’s guidance and terms, Shopify accepts reports of leaked credentials, including Authentication material for Shopify APIs and/or Shopify infrastructure.  Hackers should submit the leaked credentials to the program and should not test their validity beyond authenticating and then immediately deauthenticating - without exercising any functionality.  Likewise, Hackers should not share these credentials beyond their report to the program. \n\n# Known issues\n\nThe following issues or behaviours are by design or otherwise known to Shopify. Submitting a report that falls into this category will result in the report being closed as **Not Applicable**.\n\n**XSS - At Shopify we allow merchants to use HTML in their store descriptions, product descriptions, and other fields. We do not consider this a vulnerability.**\n\nThe following XSS (Cross-Site Scripting) types are explicitly out of scope for this program:\n  - **XSS Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n  - **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n  -  **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n  - **XSS - Shopify Checkout** - Any issue where a store staff member is able to insert javascript in the checkout area of their own store (this includes *.shopifypreview.com).\n  - **XSS - Set Header** -Any issue that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n  - **XSS - Inspect Element/Console** - Any issue that requires the use of the browser's developer tools to execute javascript.\n  - **XSS - Self-XSS** - Any issue without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n\n**CDN - At Shopify we encourage merchants to use our CDN (static.shopify.com, cdn.shopify.com and other storage domains) to host any files they want. We do not consider this a vulnerability because this content runs in a separate context and cannot directly impact our platform.**\n\nThe following CDN (Content Distribution Network) types are explicitly out of scope for this program and will be closed as `Not Applicable`:\n  - **CDN - Arbitrary file upload** - Any issue where a store staff member is able to upload arbitrary files to our CDN.\n  - **CDN - Stored XSS** - Any issue where a store staff member is able to upload arbitrary files to our CDN and execute javascript in the context of a CDN domain. (static.shopify.com and cdn.shopify.com).\n  - **CDN - Sensitive data disclosure** - All files on the Content Delivery Network (cdn.shopify.com) are public by design.\n\n\nThe following CSRF (Cross-Site Request Forgery) types are explicitly out of scope:\n  - CSRF access to modify cart\n  - CSRF for Login or Logout (unless it is chained together with another vulnerability to demonstrate impact)\n\n**Shopify hosted stores - There are a number of commonly reported false positives in Shopify hosted (*.myshopify.com) stores that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n- **Staff access to**:\n  - /admin/settings/shop.json\n  - /admin/settings/account.json\n  - /admin/settings/users.json\n  - /admin/settings/locations.json\n- **Intended Public files**:\n  - payments/config.json\n- **Password reset tokens don’t expire when changing email address**\n- **Email address doesn't require verification on signup**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **User or store name enumeration**\n- **Insecure “Opening Soon” password**\n- **User permission issues in Stocky**\n- **Template sanitization bypasses in Order Printer**\n\n\n**Mobile / PoS - There are a number of commonly reported false positives in the Shopify mobile applications that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n  - **Physical access to the device** Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n  - **Mobile application biometrics bypass**\n  - **Lack of mobile binary protection or SSL pinning**\n  - **Lack of mobile application encryption**\n  - **Issues that can only be exploited on an emulated device**\n  - **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n\n# Potential Ineligible vulnerability types\n\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n- **Open Redirect** - Any issue that allows a user to be redirected to an arbitrary URL without user interaction, unless it is chained together with another vulnerability to demonstrate impact.\n- **HTML Injection in emails** - Any issue that allows a user to inject arbitrary HTML into emails, unless it is chained together with another **eligible** vulnerability to demonstrate impact.\n- **SSRF** - There are several places where a SSRF is technically possible, however, a simple HTTP/DNS interaction is not considered a vulnerability by itself. In most cases, these issues will be closed as **Not Applicable**. We are running instances of a service similar to [SSRF-sheriff](https://github.com/teknogeek/ssrf-sheriff) that we built. You can access the instances at `http://web.ssrf-sheriff.svc.cluster.local` for the purpose of validating SSRF findings.\n- **Race Conditions** - If you've encountered a race condition, please ensure that it exploitable and would gain an attacker access to sensitive information. The following race conditions would **not** be eligible:\n  - Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- **Cross-origin resource sharing CORS** - Any issue reporting misconfigured CORS policies that doesn't demonstrate relevant security impact, or present on endpoints that don't expose any sensitive data, like Monorail produce endpoints.\n- **HTML Injection** - Any issue reporting HTML being rendered without demonstrating other security impact, for example code execution or data exfiltration.\n- **GraphQL alias or directive overloading issues** - Any reported issue related to GraphQL alias or directive overloading will be assessed for its potential impact on service availability before it's found eligible.\n- **Bypassing B2B customer restrictions to access storefronts, catalogs or pricing intended only for B2B customers**\n\n# Ineligible vulnerability types\n\nThe following vulnerability types are explicitly out of scope for this program and will be closed as `Not Applicable` immediately:\n\n- **Social Engineering** - Any issue that requires social engineering to be exploited, such as phishing, or impersonation of a Shopify employee. This includes contacting the Shopify Support.\n- **Spam / Flooding** - E-Mail flooding, SMS flooding, or any other type of flooding.\n- **Vulnerability Scanner False Positives** - Any issue that is reported by a vulnerability scanner, but is not exploitable by a human.\n- **Enabled GraphQL introspection query** - We highly recommend researchers to utilize it as a valuable resource.\n- Insecure cookie handling for account identifying cookies.\n- Tab nabbing.\n- Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing).\n- CSV / formula injection.\n- Hyperlink injection.\n- Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.\n- Distributed Denial of Service.\n- Content spoofing.\n- Disclosure of server or software version numbers.\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim.\n- Reports related to permitted password strength.\n- Theoretical sub-domain takeovers with no supporting evidence.\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches).\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers.\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit).\n- Reports related to CVV validation during payment. CVV validation rules may differ across markets, and Shopify implements other controls to protect merchants against fraud based attacks.\n- Reports indicating a Staff, Partner or Organization invite sent to one email can be accepted by a different email.\n- Reports related to the possibility of a Partners account with `Manage Members` permissions to change their own permissions.\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n\n## Staff Member Permissions\nShopify has a rich set of granular permissions that we offer in the Shopify admin and the Partners Dashboard. These are documented [here](https://help.shopify.com/en/manual/your-account/staff-accounts/staff-permissions/staff-permissions-descriptions).\n\nThe following are the categories which we consider to have clear CVSS relevance with regards to staff member permissions. If the observed behavior does not fit into these categories, please carefully consider the practical impact of the finding prior to opening a report as it risks being closed as N/A.\n\n- Demonstrates the ability for a staff member to escalate their privileges to one of our _Sensitive Permissions_ (Manage Settings, Manage Payment Settings and Themes).\n  - Valid: Staff member with `orders` permission can perform an action that is normally scoped to `Manage Settings`.\n  - Invalid: Staff member with `Manage Settings` permission can perform an action that is not specifically listed in the public documentation description.\n- Demonstrates a direct financial impact on the Shop (The request made must directly result in the impact).\n  - Valid: Lowering the price of an existing product available on sales channels without the appropriate permission.\n  - Invalid: Adding additional variants of a product at a lower price but without making them available on sales channels.\n- Demonstrates impact on Buyer PII that the staff member isn't already authorized for.\n  - Valid: Staff members having access to read or edit Buyer PII when they aren't authorized to do so.\n  - Invalid: Staff members with the `orders` permission being able read or write basic buyer information.\n\nFor staff permission issues which are not relevant to our bugbounty program, feel free to bring them to the attention of our support team by following the instructions outlined [here](https://github.com/Shopify/bugbounty-resources/blob/master/how_to_report_functional_issues.md).\n\n## Subdomain Takeovers\nReports related to dangling domain records will be evaluated on a case-by-case basis for bounty taking into account several factors, including:\n- The likelihood of a record to be successfully taken over (i.e. can the specific IP that the record points to be readily requisitioned from an owner).\n- The likelihood that traffic would be sent to the specific fully-qualified domain name (FQDN) as part of normal operations.\n- The purpose of the domain if it can be inferred from the record (i.e. test app).\n\nMost of these reports will result in CVSS 0 and, therefore, will be ineligible for a bounty. If you believe you have found a dangling domain record that is likely to be taken over and is likely to receive traffic, please include methodology and evidence in your report.\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We will disqualify you from receiving a reward, and may disqualify you from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-09-27T17:46:41.779Z"},{"id":3740637,"new_policy":"[# TL;DR](#user-content-tldr)\nAt Shopify, we take merchant trust and safety very seriously. Our maximum bounty of $200,000 reflects that.\n\nTo participate, you must create an account using a `@wearehackerone.com` email address and only test against accounts you create. Before reporting any issues, please review our list of known issues. We encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\n\nWe pay bounties based on CVSS scores using our CVSS Bounty Calculator (https://shopify.github.io/appsec/cvss_calculator/), and we usually award bounties within a week of triage.\n\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n\n\nIf you need further clarification of the rules or scope of our bug bounty program, please don't hesitate to contact us at bugbounty@shopify.com.\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe value all security researchers and expect mutual respect between our team and participants. We strive to:\n- Reply to all reports within one business day and triage within two business days (if applicable).\n- Be as transparent as possible, answering all inquiries about our report decisions and adding hackers to duplicate HackerOne reports.\n- Award bounties within a week of triage (excluding extenuating circumstances).\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types`, or lacks evidence of a vulnerability.\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. All Shopify developed applications are in scope (https://apps.shopify.com/partners/shopify) for this program.\n\nYou should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a response from the developer within one week. If you do so, please include the following information in your report:\n\n- The name of the app\n- The name of the developer\n- The URL of the app\n- The vulnerability you are reporting\n- The steps to reproduce the vulnerability\n- The impact of the vulnerability\n- The severity of the vulnerability\n\nPlease note that Shopify will not pay a bounty for vulnerabilities in third party apps and the report will be closed as \"Informative\".\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed on [the scope page for this program](https://hackerone.com/shopify/policy_scopes). **Valid vulnerabilities on any domain not explicitly listed in scope may be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\nAs a general rule:\n\n- Reports which do not demonstrate relevant [CVSS](https://shopify.github.io/appsec/cvss_calculator/) impact to Shopify or our Merchants by providing a functional proof of concept will be closed as N/A.\n- We reward researchers based on the scenario that yields the highest overall CVSS score, provided that the scenario is plausible and directly linked to the root issue. In cases where multiple reports share the same root cause, these will be closed as Duplicate.\n- We will only award and triage reports when the root cause is under our control.\n- IDOR eligibility will be evaluated considering the identifier predictability, the data accessed and overall impact on the service.\n- Reports of a vulnerability disclosing sensitive PII will be evaluated on a case by case basis, considering the overall impact on Shopify's merchant data.\n\n# Typical Bounty Amounts\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact and make a change as a result of the report. Bonuses are determined as a percentage (10% of what the bounty is estimated at for an exploitable issue), with a minimum of $500 and a maximum of $5,000.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity`, and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com, admin.shopify.com, shop.app, server.shop.app, partners.shopify.com and *.shopifycs.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, and our mobile applications.\n\n# Denial of Service\nIn our commitment to maintaining a secure environment, we value your assistance in identifying Denial of Service (DoS) vulnerabilities that meet our specific criteria. Generally:\n- We only consider DoS issues that can be triggered by a single user with a single request.\n- We only consider DoS issues that cause a significant disruption to the **entire* service, not just an individual shop or instance\n- We explicitly do not accept any kind of DDOS (Distributed Denial of Service) issues. \n- Slow requests that eventually complete successfully without rendering the service **unavailable to others** do **not** constitute an availability impact for our program.\n\nTo test DoS issues please:\n- Make every effort to avoid an actual DoS on our services.\n- Start small.\n- Increase efforts incrementally.\n- As soon as you start to see a degradation in a service you are testing, please stop testing and submit a report.\n\nIf you think you have found an eligible DoS issue, please include the following information in your report:\n- The URL of the page that is vulnerable to DoS\n- The X-Request-ID of the HTTP response that causes the DoS\n- The HTTP request that causes the DoS\n- The HTTP response that is returned by the server after the DoS has been triggered\n- The time it takes for the DoS to be triggered\n\n# Leaked Credentials\nIn alignment with HackerOne’s guidance and terms, Shopify accepts reports of leaked credentials, including Authentication material for Shopify APIs and/or Shopify infrastructure.  Hackers should submit the leaked credentials to the program and should not test their validity beyond authenticating and then immediately deauthenticating - without exercising any functionality.  Likewise, Hackers should not share these credentials beyond their report to the program. \n\n# Known issues\n\nThe following issues or behaviours are by design or otherwise known to Shopify. Submitting a report that falls into this category will result in the report being closed as **Not Applicable**.\n\n**XSS - At Shopify we allow merchants to use HTML in their store descriptions, product descriptions, and other fields. We do not consider this a vulnerability.**\n\nThe following XSS (Cross-Site Scripting) types are explicitly out of scope for this program:\n  - **XSS Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n  - **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n  -  **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n  - **XSS - Shopify Checkout** - Any issue where a store staff member is able to insert javascript in the checkout area of their own store (this includes *.shopifypreview.com).\n  - **XSS - Set Header** -Any issue that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n  - **XSS - Inspect Element/Console** - Any issue that requires the use of the browser's developer tools to execute javascript.\n  - **XSS - Self-XSS** - Any issue without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n\n**CDN - At Shopify we encourage merchants to use our CDN (static.shopify.com, cdn.shopify.com and other storage domains) to host any files they want. We do not consider this a vulnerability because this content runs in a separate context and cannot directly impact our platform.**\n\nThe following CDN (Content Distribution Network) types are explicitly out of scope for this program and will be closed as `Not Applicable`:\n  - **CDN - Arbitrary file upload** - Any issue where a store staff member is able to upload arbitrary files to our CDN.\n  - **CDN - Stored XSS** - Any issue where a store staff member is able to upload arbitrary files to our CDN and execute javascript in the context of a CDN domain. (static.shopify.com and cdn.shopify.com).\n  - **CDN - Sensitive data disclosure** - All files on the Content Delivery Network (cdn.shopify.com) are public by design.\n\n\nThe following CSRF (Cross-Site Request Forgery) types are explicitly out of scope:\n  - CSRF access to modify cart\n  - CSRF for Login or Logout (unless it is chained together with another vulnerability to demonstrate impact)\n\n**Shopify hosted stores - There are a number of commonly reported false positives in Shopify hosted (*.myshopify.com) stores that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n- **Staff access to**:\n  - /admin/settings/shop.json\n  - /admin/settings/account.json\n  - /admin/settings/users.json\n  - /admin/settings/locations.json\n- **Intended Public files**:\n  - payments/config.json\n- **Password reset tokens don’t expire when changing email address**\n- **Email address doesn't require verification on signup**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **User or store name enumeration**\n- **Insecure “Opening Soon” password**\n- **User permission issues in Stocky**\n- **Template sanitization bypasses in Order Printer**\n\n\n**Mobile / PoS - There are a number of commonly reported false positives in the Shopify mobile applications that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n  - **Physical access to the device** Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n  - **Mobile application biometrics bypass**\n  - **Lack of mobile binary protection or SSL pinning**\n  - **Lack of mobile application encryption**\n  - **Issues that can only be exploited on an emulated device**\n  - **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n\n# Potential Ineligible vulnerability types\n\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n- **Open Redirect** - Any issue that allows a user to be redirected to an arbitrary URL without user interaction, unless it is chained together with another vulnerability to demonstrate impact.\n- **HTML Injection in emails** - Any issue that allows a user to inject arbitrary HTML into emails, unless it is chained together with another **eligible** vulnerability to demonstrate impact.\n- **SSRF** - There are several places where a SSRF is technically possible, however, a simple HTTP/DNS interaction is not considered a vulnerability by itself. In most cases, these issues will be closed as **Not Applicable**. We are running instances of a service similar to [SSRF-sheriff](https://github.com/teknogeek/ssrf-sheriff) that we built. You can access the instances at `http://web.ssrf-sheriff.svc.cluster.local` for the purpose of validating SSRF findings.\n- **Race Conditions** - If you've encountered a race condition, please ensure that it exploitable and would gain an attacker access to sensitive information. The following race conditions would **not** be eligible:\n  - Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- **Cross-origin resource sharing CORS** - Any issue reporting misconfigured CORS policies that doesn't demonstrate relevant security impact, or present on endpoints that don't expose any sensitive data, like Monorail produce endpoints.\n- **HTML Injection** - Any issue reporting HTML being rendered without demonstrating other security impact, for example code execution or data exfiltration.\n- **GraphQL alias or directive overloading issues** - Any reported issue related to GraphQL alias or directive overloading will be assessed for its potential impact on service availability before it's found eligible.\n- **Bypassing B2B customer restrictions to access storefronts, catalogs or pricing intended only for B2B customers**\n\n# Ineligible vulnerability types\n\nThe following vulnerability types are explicitly out of scope for this program and will be closed as `Not Applicable` immediately:\n\n- **Social Engineering** - Any issue that requires social engineering to be exploited, such as phishing, or impersonation of a Shopify employee. This includes contacting the Shopify Support.\n- **Spam / Flooding** - E-Mail flooding, SMS flooding, or any other type of flooding.\n- **Vulnerability Scanner False Positives** - Any issue that is reported by a vulnerability scanner, but is not exploitable by a human.\n- **Enabled GraphQL introspection query** - We highly recommend researchers to utilize it as a valuable resource.\n- Insecure cookie handling for account identifying cookies.\n- Tab nabbing.\n- Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing).\n- CSV / formula injection.\n- Hyperlink injection.\n- Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.\n- Distributed Denial of Service.\n- Content spoofing.\n- Disclosure of server or software version numbers.\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim.\n- Reports related to permitted password strength.\n- Theoretical sub-domain takeovers with no supporting evidence.\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches).\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers.\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit).\n- Reports related to CVV validation during payment. CVV validation rules may differ across markets, and Shopify implements other controls to protect merchants against fraud based attacks.\n- Reports indicating a Staff, Partner or Organization invite sent to one email can be accepted by a different email.\n- Reports related to the possibility of a Partners account with `Manage Members` permissions to change their own permissions.\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n\n## Staff Member Permissions\nShopify has a rich set of granular permissions that we offer in the Shopify admin and the Partners Dashboard. These are documented [here](https://help.shopify.com/en/manual/your-account/staff-accounts/staff-permissions/staff-permissions-descriptions).\n\nThe following are the categories which we consider to have clear CVSS relevance with regards to staff member permissions. If the observed behavior does not fit into these categories, please carefully consider the practical impact of the finding prior to opening a report as it risks being closed as N/A.\n\n- Demonstrates the ability for a staff member to escalate their privileges to one of our _Sensitive Permissions_ (Manage Settings, Manage Payment Settings and Themes).\n  - Valid: Staff member with `orders` permission can perform an action that is normally scoped to `Manage Settings`.\n  - Invalid: Staff member with `Manage Settings` permission can perform an action that is not specifically listed in the public documentation description.\n- Demonstrates a direct financial impact on the Shop (The request made must directly result in the impact).\n  - Valid: Lowering the price of an existing product available on sales channels without the appropriate permission.\n  - Invalid: Adding additional variants of a product at a lower price but without making them available on sales channels.\n- Demonstrates impact on Buyer PII that the staff member isn't already authorized for.\n  - Valid: Staff members having access to read or edit Buyer PII when they aren't authorized to do so.\n  - Invalid: Staff members with the `orders` permission being able read or write basic buyer information.\n\nFor staff permission issues which are not relevant to our bugbounty program, feel free to bring them to the attention of our support team by following the instructions outlined [here](https://github.com/Shopify/bugbounty-resources/blob/master/how_to_report_functional_issues.md).\n\n## Subdomain Takeovers\nReports related to dangling domain records will be evaluated on a case-by-case basis for bounty taking into account several factors, including:\n- The likelihood of a record to be successfully taken over (i.e. can the specific IP that the record points to be readily requisitioned from an owner).\n- The likelihood that traffic would be sent to the specific fully-qualified domain name (FQDN) as part of normal operations.\n- The purpose of the domain if it can be inferred from the record (i.e. test app).\n\nMost of these reports will result in CVSS 0 and, therefore, will be ineligible for a bounty. If you believe you have found a dangling domain record that is likely to be taken over and is likely to receive traffic, please include methodology and evidence in your report.\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We will disqualify you from receiving a reward, and may disqualify you from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-09-27T17:45:06.939Z"},{"id":3740142,"new_policy":"# TL;DR\nAt Shopify, we take merchant trust and safety very seriously. Our maximum bounty of $200,000 reflects that.\n\nTo participate, you must create an account using a `@wearehackerone.com` email address and only test against accounts you create. Before reporting any issues, please review our list of known issues. We encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\n\nWe pay bounties based on CVSS scores using our CVSS Bounty Calculator (https://shopify.github.io/appsec/cvss_calculator/), and we usually award bounties within a week of triage.\n\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n\n\nIf you need further clarification of the rules or scope of our bug bounty program, please don't hesitate to contact us at bugbounty@shopify.com.\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe value all security researchers and expect mutual respect between our team and participants. We strive to:\n- Reply to all reports within one business day and triage within two business days (if applicable).\n- Be as transparent as possible, answering all inquiries about our report decisions and adding hackers to duplicate HackerOne reports.\n- Award bounties within a week of triage (excluding extenuating circumstances).\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types`, or lacks evidence of a vulnerability.\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. All Shopify developed applications are in scope (https://apps.shopify.com/partners/shopify) for this program.\n\nYou should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a response from the developer within one week. If you do so, please include the following information in your report:\n\n- The name of the app\n- The name of the developer\n- The URL of the app\n- The vulnerability you are reporting\n- The steps to reproduce the vulnerability\n- The impact of the vulnerability\n- The severity of the vulnerability\n\nPlease note that Shopify will not pay a bounty for vulnerabilities in third party apps and the report will be closed as \"Informative\".\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed on [the scope page for this program](https://hackerone.com/shopify/policy_scopes). **Valid vulnerabilities on any domain not explicitly listed in scope may be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\nAs a general rule:\n\n- Reports which do not demonstrate relevant [CVSS](https://shopify.github.io/appsec/cvss_calculator/) impact to Shopify or our Merchants by providing a functional proof of concept will be closed as N/A.\n- We reward researchers based on the scenario that yields the highest overall CVSS score, provided that the scenario is plausible and directly linked to the root issue. In cases where multiple reports share the same root cause, these will be closed as Duplicate.\n- We will only award and triage reports when the root cause is under our control.\n- IDOR eligibility will be evaluated considering the identifier predictability, the data accessed and overall impact on the service.\n- Reports of a vulnerability disclosing sensitive PII will be evaluated on a case by case basis, considering the overall impact on Shopify's merchant data.\n\n# Typical Bounty Amounts\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact and make a change as a result of the report. Bonuses are determined as a percentage (10% of what the bounty is estimated at for an exploitable issue), with a minimum of $500 and a maximum of $5,000.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity`, and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com, admin.shopify.com, shop.app, server.shop.app, partners.shopify.com and *.shopifycs.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, and our mobile applications.\n\n# Denial of Service\nIn our commitment to maintaining a secure environment, we value your assistance in identifying Denial of Service (DoS) vulnerabilities that meet our specific criteria. Generally:\n- We only consider DoS issues that can be triggered by a single user with a single request.\n- We only consider DoS issues that cause a significant disruption to the **entire* service, not just an individual shop or instance\n- We explicitly do not accept any kind of DDOS (Distributed Denial of Service) issues. \n- Slow requests that eventually complete successfully without rendering the service **unavailable to others** do **not** constitute an availability impact for our program.\n\nTo test DoS issues please:\n- Make every effort to avoid an actual DoS on our services.\n- Start small.\n- Increase efforts incrementally.\n- As soon as you start to see a degradation in a service you are testing, please stop testing and submit a report.\n\nIf you think you have found an eligible DoS issue, please include the following information in your report:\n- The URL of the page that is vulnerable to DoS\n- The X-Request-ID of the HTTP response that causes the DoS\n- The HTTP request that causes the DoS\n- The HTTP response that is returned by the server after the DoS has been triggered\n- The time it takes for the DoS to be triggered\n\n# Leaked Credentials\nIn alignment with HackerOne’s guidance and terms, Shopify accepts reports of leaked credentials, including Authentication material for Shopify APIs and/or Shopify infrastructure.  Hackers should submit the leaked credentials to the program and should not test their validity beyond authenticating and then immediately deauthenticating - without exercising any functionality.  Likewise, Hackers should not share these credentials beyond their report to the program. \n\n# Known issues\n\nThe following issues or behaviours are by design or otherwise known to Shopify. Submitting a report that falls into this category will result in the report being closed as **Not Applicable**.\n\n**XSS - At Shopify we allow merchants to use HTML in their store descriptions, product descriptions, and other fields. We do not consider this a vulnerability.**\n\nThe following XSS (Cross-Site Scripting) types are explicitly out of scope for this program:\n  - **XSS Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n  - **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n  -  **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n  - **XSS - Shopify Checkout** - Any issue where a store staff member is able to insert javascript in the checkout area of their own store (this includes *.shopifypreview.com).\n  - **XSS - Set Header** -Any issue that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n  - **XSS - Inspect Element/Console** - Any issue that requires the use of the browser's developer tools to execute javascript.\n  - **XSS - Self-XSS** - Any issue without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n\n**CDN - At Shopify we encourage merchants to use our CDN (static.shopify.com, cdn.shopify.com and other storage domains) to host any files they want. We do not consider this a vulnerability because this content runs in a separate context and cannot directly impact our platform.**\n\nThe following CDN (Content Distribution Network) types are explicitly out of scope for this program and will be closed as `Not Applicable`:\n  - **CDN - Arbitrary file upload** - Any issue where a store staff member is able to upload arbitrary files to our CDN.\n  - **CDN - Stored XSS** - Any issue where a store staff member is able to upload arbitrary files to our CDN and execute javascript in the context of a CDN domain. (static.shopify.com and cdn.shopify.com).\n  - **CDN - Sensitive data disclosure** - All files on the Content Delivery Network (cdn.shopify.com) are public by design.\n\n\nThe following CSRF (Cross-Site Request Forgery) types are explicitly out of scope:\n  - CSRF access to modify cart\n  - CSRF for Login or Logout (unless it is chained together with another vulnerability to demonstrate impact)\n\n**Shopify hosted stores - There are a number of commonly reported false positives in Shopify hosted (*.myshopify.com) stores that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n- **Staff access to**:\n  - /admin/settings/shop.json\n  - /admin/settings/account.json\n  - /admin/settings/users.json\n  - /admin/settings/locations.json\n- **Intended Public files**:\n  - payments/config.json\n- **Password reset tokens don’t expire when changing email address**\n- **Email address doesn't require verification on signup**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **User or store name enumeration**\n- **Insecure “Opening Soon” password**\n- **User permission issues in Stocky**\n- **Template sanitization bypasses in Order Printer**\n\n\n**Mobile / PoS - There are a number of commonly reported false positives in the Shopify mobile applications that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n  - **Physical access to the device** Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n  - **Mobile application biometrics bypass**\n  - **Lack of mobile binary protection or SSL pinning**\n  - **Lack of mobile application encryption**\n  - **Issues that can only be exploited on an emulated device**\n  - **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n\n# Potential Ineligible vulnerability types\n\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n- **Open Redirect** - Any issue that allows a user to be redirected to an arbitrary URL without user interaction, unless it is chained together with another vulnerability to demonstrate impact.\n- **HTML Injection in emails** - Any issue that allows a user to inject arbitrary HTML into emails, unless it is chained together with another **eligible** vulnerability to demonstrate impact.\n- **SSRF** - There are several places where a SSRF is technically possible, however, a simple HTTP/DNS interaction is not considered a vulnerability by itself. In most cases, these issues will be closed as **Not Applicable**. We are running instances of a service similar to [SSRF-sheriff](https://github.com/teknogeek/ssrf-sheriff) that we built. You can access the instances at `http://web.ssrf-sheriff.svc.cluster.local` for the purpose of validating SSRF findings.\n- **Race Conditions** - If you've encountered a race condition, please ensure that it exploitable and would gain an attacker access to sensitive information. The following race conditions would **not** be eligible:\n  - Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- **Cross-origin resource sharing CORS** - Any issue reporting misconfigured CORS policies that doesn't demonstrate relevant security impact, or present on endpoints that don't expose any sensitive data, like Monorail produce endpoints.\n- **HTML Injection** - Any issue reporting HTML being rendered without demonstrating other security impact, for example code execution or data exfiltration.\n- **GraphQL alias or directive overloading issues** - Any reported issue related to GraphQL alias or directive overloading will be assessed for its potential impact on service availability before it's found eligible.\n- **Bypassing B2B customer restrictions to access storefronts, catalogs or pricing intended only for B2B customers**\n\n# Ineligible vulnerability types\n\nThe following vulnerability types are explicitly out of scope for this program and will be closed as `Not Applicable` immediately:\n\n- **Social Engineering** - Any issue that requires social engineering to be exploited, such as phishing, or impersonation of a Shopify employee. This includes contacting the Shopify Support.\n- **Spam / Flooding** - E-Mail flooding, SMS flooding, or any other type of flooding.\n- **Vulnerability Scanner False Positives** - Any issue that is reported by a vulnerability scanner, but is not exploitable by a human.\n- **Enabled GraphQL introspection query** - We highly recommend researchers to utilize it as a valuable resource.\n- Insecure cookie handling for account identifying cookies.\n- Tab nabbing.\n- Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing).\n- CSV / formula injection.\n- Hyperlink injection.\n- Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.\n- Distributed Denial of Service.\n- Content spoofing.\n- Disclosure of server or software version numbers.\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim.\n- Reports related to permitted password strength.\n- Theoretical sub-domain takeovers with no supporting evidence.\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches).\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers.\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit).\n- Reports related to CVV validation during payment. CVV validation rules may differ across markets, and Shopify implements other controls to protect merchants against fraud based attacks.\n- Reports indicating a Staff, Partner or Organization invite sent to one email can be accepted by a different email.\n- Reports related to the possibility of a Partners account with `Manage Members` permissions to change their own permissions.\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n\n## Staff Member Permissions\nShopify has a rich set of granular permissions that we offer in the Shopify admin and the Partners Dashboard. These are documented [here](https://help.shopify.com/en/manual/your-account/staff-accounts/staff-permissions/staff-permissions-descriptions).\n\nThe following are the categories which we consider to have clear CVSS relevance with regards to staff member permissions. If the observed behavior does not fit into these categories, please carefully consider the practical impact of the finding prior to opening a report as it risks being closed as N/A.\n\n- Demonstrates the ability for a staff member to escalate their privileges to one of our _Sensitive Permissions_ (Manage Settings, Manage Payment Settings and Themes).\n  - Valid: Staff member with `orders` permission can perform an action that is normally scoped to `Manage Settings`.\n  - Invalid: Staff member with `Manage Settings` permission can perform an action that is not specifically listed in the public documentation description.\n- Demonstrates a direct financial impact on the Shop (The request made must directly result in the impact).\n  - Valid: Lowering the price of an existing product available on sales channels without the appropriate permission.\n  - Invalid: Adding additional variants of a product at a lower price but without making them available on sales channels.\n- Demonstrates impact on Buyer PII that the staff member isn't already authorized for.\n  - Valid: Staff members having access to read or edit Buyer PII when they aren't authorized to do so.\n  - Invalid: Staff members with the `orders` permission being able read or write basic buyer information.\n\nFor staff permission issues which are not relevant to our bugbounty program, feel free to bring them to the attention of our support team by following the instructions outlined [here](https://github.com/Shopify/bugbounty-resources/blob/master/how_to_report_functional_issues.md).\n\n## Subdomain Takeovers\nReports related to dangling domain records will be evaluated on a case-by-case basis for bounty taking into account several factors, including:\n- The likelihood of a record to be successfully taken over (i.e. can the specific IP that the record points to be readily requisitioned from an owner).\n- The likelihood that traffic would be sent to the specific fully-qualified domain name (FQDN) as part of normal operations.\n- The purpose of the domain if it can be inferred from the record (i.e. test app).\n\nMost of these reports will result in CVSS 0 and, therefore, will be ineligible for a bounty. If you believe you have found a dangling domain record that is likely to be taken over and is likely to receive traffic, please include methodology and evidence in your report.\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We will disqualify you from receiving a reward, and may disqualify you from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-09-23T15:40:52.309Z"},{"id":3738595,"new_policy":"# TL;DR\nAt Shopify, we take merchant trust and safety very seriously. Our maximum bounty of $200,000 reflects that.\n\nTo participate, you must create an account using a `@wearehackerone.com` email address and only test against accounts you create. Before reporting any issues, please review our list of known issues. We encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\n\nWe pay bounties based on CVSS scores using our CVSS Bounty Calculator (https://shopify.github.io/appsec/cvss_calculator/), and we usually award bounties within a week of triage.\n\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n\n\nIf you need further clarification of the rules or scope of our bug bounty program, please don't hesitate to contact us at bugbounty@shopify.com.\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe value all security researchers and expect mutual respect between our team and participants. We strive to:\n- Reply to all reports within one business day and triage within two business days (if applicable).\n- Be as transparent as possible, answering all inquiries about our report decisions and adding hackers to duplicate HackerOne reports.\n- Award bounties within a week of triage (excluding extenuating circumstances).\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types`, or lacks evidence of a vulnerability.\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. All Shopify developed applications are in scope (https://apps.shopify.com/partners/shopify) for this program.\n\nYou should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a response from the developer within one week. If you do so, please include the following information in your report:\n\n- The name of the app\n- The name of the developer\n- The URL of the app\n- The vulnerability you are reporting\n- The steps to reproduce the vulnerability\n- The impact of the vulnerability\n- The severity of the vulnerability\n\nPlease note that Shopify will not pay a bounty for vulnerabilities in third party apps and the report will be closed as \"Informative\".\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed on [the scope page for this program](https://hackerone.com/shopify/policy_scopes). **Valid vulnerabilities on any domain not explicitly listed in scope may be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\nAs a general rule:\n\n- Reports which do not demonstrate relevant [CVSS](https://shopify.github.io/appsec/cvss_calculator/) impact to Shopify or our Merchants by providing a functional proof of concept will be closed as N/A.\n- We reward researchers based on the scenario that yields the highest overall CVSS score, provided that the scenario is plausible and directly linked to the root issue. In cases where multiple reports share the same root cause, these will be closed as Duplicate.\n- We will only award and triage reports when the root cause is under our control.\n- IDOR eligibility will be evaluated considering the identifier predictability, the data accessed and overall impact on the service.\n- Reports of a vulnerability disclosing sensitive PII will be evaluated on a case by case basis, considering the overall impact on Shopify's merchant data.\n\n# Typical Bounty Amounts\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact and make a change as a result of the report. Bonuses are determined as a percentage (10% of what the bounty is estimated at for an exploitable issue), with a minimum of $500 and a maximum of $5,000.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity`, and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com, admin.shopify.com, shop.app, server.shop.app, partners.shopify.com and *.shopifycs.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, and our mobile applications.\n\n# Denial of Service\nIn our commitment to maintaining a secure environment, we value your assistance in identifying Denial of Service (DoS) vulnerabilities that meet our specific criteria. Generally:\n- We only consider DoS issues that can be triggered by a single user with a single request.\n- We only consider DoS issues that cause a significant disruption to the **entire* service, not just an individual shop or instance\n- We explicitly do not accept any kind of DDOS (Distributed Denial of Service) issues. \n- Slow requests that eventually complete successfully without rendering the service **unavailable to others** do **not** constitute an availability impact for our program.\n\nTo test DoS issues please:\n- Make every effort to avoid an actual DoS on our services.\n- Start small.\n- Increase efforts incrementally.\n- As soon as you start to see a degradation in a service you are testing, please stop testing and submit a report.\n\nIf you think you have found an eligible DoS issue, please include the following information in your report:\n- The URL of the page that is vulnerable to DoS\n- The X-Request-ID of the HTTP response that causes the DoS\n- The HTTP request that causes the DoS\n- The HTTP response that is returned by the server after the DoS has been triggered\n- The time it takes for the DoS to be triggered\n\n# Leaked Credentials\nIn alignment with HackerOne’s guidance and terms, Shopify accepts reports of leaked credentials, including Authentication material for Shopify APIs and/or Shopify infrastructure.  Hackers should submit the leaked credentials to the program and should not test their validity beyond authenticating and then immediately deauthenticating - without exercising any functionality.  Likewise, Hackers should not share these credentials beyond their report to the program. \n\n# Known issues\n\nThe following issues or behaviours are by design or otherwise known to Shopify. Submitting a report that falls into this category will result in the report being closed as **Not Applicable**.\n\n**XSS - At Shopify we allow merchants to use HTML in their store descriptions, product descriptions, and other fields. We do not consider this a vulnerability.**\n\nThe following XSS (Cross-Site Scripting) types are explicitly out of scope for this program:\n  - **XSS Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n  - **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n  -  **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n  - **XSS - Shopify Checkout** - Any issue where a store staff member is able to insert javascript in the checkout area of their own store (this includes *.shopifypreview.com).\n  - **XSS - Set Header** -Any issue that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n  - **XSS - Inspect Element/Console** - Any issue that requires the use of the browser's developer tools to execute javascript.\n  - **XSS - Self-XSS** - Any issue without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n\n**CDN - At Shopify we encourage merchants to use our CDN (static.shopify.com, cdn.shopify.com and other storage domains) to host any files they want. We do not consider this a vulnerability because this content runs in a separate context and cannot directly impact our platform.**\n\nThe following CDN (Content Distribution Network) types are explicitly out of scope for this program and will be closed as `Not Applicable`:\n  - **CDN - Arbitrary file upload** - Any issue where a store staff member is able to upload arbitrary files to our CDN.\n  - **CDN - Stored XSS** - Any issue where a store staff member is able to upload arbitrary files to our CDN and execute javascript in the context of a CDN domain. (static.shopify.com and cdn.shopify.com).\n  - **CDN - Sensitive data disclosure** - All files on the Content Delivery Network (cdn.shopify.com) are public by design.\n\n\nThe following CSRF (Cross-Site Request Forgery) types are explicitly out of scope:\n  - CSRF access to modify cart\n  - CSRF for Login or Logout (unless it is chained together with another vulnerability to demonstrate impact)\n\n**Shopify hosted stores - There are a number of commonly reported false positives in Shopify hosted (*.myshopify.com) stores that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n- **Staff access to**:\n  - /admin/settings/shop.json\n  - /admin/settings/account.json\n  - /admin/settings/users.json\n  - /admin/settings/locations.json\n- **Intended Public files**:\n  - payments/config.json\n- **Password reset tokens don’t expire when changing email address**\n- **Email address doesn't require verification on signup**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **User or store name enumeration**\n- **Insecure “Opening Soon” password**\n- **User permission issues in Stocky**\n- **Template sanitization bypasses in Order Printer**\n\n\n**Mobile / PoS - There are a number of commonly reported false positives in the Shopify mobile applications that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n  - **Physical access to the device** Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n  - **Mobile application biometrics bypass**\n  - **Lack of mobile binary protection or SSL pinning**\n  - **Lack of mobile application encryption**\n  - **Issues that can only be exploited on an emulated device**\n  - **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n\n# Potential Ineligible vulnerability types\n\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n- **Open Redirect** - Any issue that allows a user to be redirected to an arbitrary URL without user interaction, unless it is chained together with another vulnerability to demonstrate impact.\n- **HTML Injection in emails** - Any issue that allows a user to inject arbitrary HTML into emails, unless it is chained together with another **eligible** vulnerability to demonstrate impact.\n- **SSRF** - There are several places where a SSRF is technically possible, however, a simple HTTP/DNS interaction is not considered a vulnerability by itself. In most cases, these issues will be closed as **Not Applicable**. We are running instances of a service similar to [SSRF-sheriff](https://github.com/teknogeek/ssrf-sheriff) that we built. You can access the instances at `http://web.ssrf-sheriff.svc.cluster.local` for the purpose of validating SSRF findings.\n- **Race Conditions** - If you've encountered a race condition, please ensure that it exploitable and would gain an attacker access to sensitive information. The following race conditions would **not** be eligible:\n  - Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n\n# Ineligible vulnerability types\n\nThe following vulnerability types are explicitly out of scope for this program and will be closed as `Not Applicable` immediately:\n\n- **Social Engineering** - Any issue that requires social engineering to be exploited, such as phishing, or impersonation of a Shopify employee. This includes contacting the Shopify Support.\n- **Spam / Flooding** - E-Mail flooding, SMS flooding, or any other type of flooding.\n- **Vulnerability Scanner False Positives** - Any issue that is reported by a vulnerability scanner, but is not exploitable by a human.\n- **Enabled GraphQL introspection query** - We highly recommend researchers to utilize it as a valuable resource.\n- Insecure cookie handling for account identifying cookies.\n- Tab nabbing.\n- Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing).\n- CSV / formula injection.\n- Hyperlink injection.\n- Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.\n- Distributed Denial of Service.\n- Content spoofing.\n- Disclosure of server or software version numbers.\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim.\n- Reports related to permitted password strength.\n- Theoretical sub-domain takeovers with no supporting evidence.\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches).\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers.\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit).\n- Reports related to CVV validation during payment. CVV validation rules may differ across markets, and Shopify implements other controls to protect merchants against fraud based attacks.\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n\n## Staff Member Permissions\nShopify has a rich set of granular permissions that we offer in the Shopify admin and the Partners Dashboard. These are documented [here](https://help.shopify.com/en/manual/your-account/staff-accounts/staff-permissions/staff-permissions-descriptions).\n\nThe following are the categories which we consider to have clear CVSS relevance with regards to staff member permissions. If the observed behavior does not fit into these categories, please carefully consider the practical impact of the finding prior to opening a report as it risks being closed as N/A.\n\n- Demonstrates the ability for a staff member to escalate their privileges to one of our _Sensitive Permissions_ (Manage Settings, Manage Payment Settings and Themes).\n  - Valid: Staff member with `orders` permission can perform an action that is normally scoped to `Manage Settings`.\n  - Invalid: Staff member with `Manage Settings` permission can perform an action that is not specifically listed in the public documentation description.\n- Demonstrates a direct financial impact on the Shop (The request made must directly result in the impact).\n  - Valid: Lowering the price of an existing product available on sales channels without the appropriate permission.\n  - Invalid: Adding additional variants of a product at a lower price but without making them available on sales channels.\n- Demonstrates impact on Buyer PII that the staff member isn't already authorized for.\n  - Valid: Staff members having access to read or edit Buyer PII when they aren't authorized to do so.\n  - Invalid: Staff members with the `orders` permission being able read or write basic buyer information.\n\nFor staff permission issues which are not relevant to our bugbounty program, feel free to bring them to the attention of our support team by following the instructions outlined [here](https://github.com/Shopify/bugbounty-resources/blob/master/how_to_report_functional_issues.md).\n\n## Subdomain Takeovers\nReports related to dangling domain records will be evaluated on a case-by-case basis for bounty taking into account several factors, including:\n- The likelihood of a record to be successfully taken over (i.e. can the specific IP that the record points to be readily requisitioned from an owner).\n- The likelihood that traffic would be sent to the specific fully-qualified domain name (FQDN) as part of normal operations.\n- The purpose of the domain if it can be inferred from the record (i.e. test app).\n\nMost of these reports will result in CVSS 0 and, therefore, will be ineligible for a bounty. If you believe you have found a dangling domain record that is likely to be taken over and is likely to receive traffic, please include methodology and evidence in your report.\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We will disqualify you from receiving a reward, and may disqualify you from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-09-12T15:31:01.716Z"},{"id":3728307,"new_policy":"# TL;DR\nAt Shopify, we take merchant trust and safety very seriously. Our maximum bounty of $200,000 reflects that.\n\nTo participate, you must create an account using a `@wearehackerone.com` email address and only test against accounts you create. Before reporting any issues, please review our list of known issues. We encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\n\nWe pay bounties based on CVSS scores using our CVSS Bounty Calculator (https://shopify.github.io/appsec/cvss_calculator/), and we usually award bounties within a week of triage.\n\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n\n\nIf you need further clarification of the rules or scope of our bug bounty program, please don't hesitate to contact us at bugbounty@shopify.com.\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe value all security researchers and expect mutual respect between our team and participants. We strive to:\n- Reply to all reports within one business day and triage within two business days (if applicable).\n- Be as transparent as possible, answering all inquiries about our report decisions and adding hackers to duplicate HackerOne reports.\n- Award bounties within a week of triage (excluding extenuating circumstances).\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types`, or lacks evidence of a vulnerability.\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. All Shopify developed applications are in scope (https://apps.shopify.com/partners/shopify) for this program.\n\nYou should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a response from the developer within one week. If you do so, please include the following information in your report:\n\n- The name of the app\n- The name of the developer\n- The URL of the app\n- The vulnerability you are reporting\n- The steps to reproduce the vulnerability\n- The impact of the vulnerability\n- The severity of the vulnerability\n\nPlease note that Shopify will not pay a bounty for vulnerabilities in third party apps and the report will be closed as \"Informative\".\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed on [the scope page for this program](https://hackerone.com/shopify/policy_scopes). **Valid vulnerabilities on any domain not explicitly listed in scope may be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\nAs a general rule:\n\n- Reports which do not demonstrate relevant [CVSS](https://shopify.github.io/appsec/cvss_calculator/) impact to Shopify or our Merchants by providing a functional proof of concept will be closed as N/A.\n- We reward researchers based on the scenario that yields the highest overall CVSS score, provided that the scenario is plausible and directly linked to the root issue. In cases where multiple reports share the same root cause, these will be closed as Duplicate.\n- We will only award and triage reports when the root cause is under our control.\n- IDOR eligibility will be evaluated considering the identifier predictability, the data accessed and overall impact on the service.\n- Reports of a vulnerability disclosing sensitive PII will be evaluated on a case by case basis, considering the overall impact on Shopify's merchant data.\n\n# Typical Bounty Amounts\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact and make a change as a result of the report. Bonuses are determined as a percentage (10% of what the bounty is estimated at for an exploitable issue), with a minimum of $500 and a maximum of $5,000.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity`, and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com, admin.shopify.com, shop.app, server.shop.app, partners.shopify.com and *.shopifycs.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, and our mobile applications.\n\n# Google Play Bonus\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Denial of Service\nIn our commitment to maintaining a secure environment, we value your assistance in identifying Denial of Service (DoS) vulnerabilities that meet our specific criteria. Generally:\n- We only consider DoS issues that can be triggered by a single user with a single request.\n- We only consider DoS issues that cause a significant disruption to the **entire* service, not just an individual shop or instance\n- We explicitly do not accept any kind of DDOS (Distributed Denial of Service) issues. \n- Slow requests that eventually complete successfully without rendering the service **unavailable to others** do **not** constitute an availability impact for our program.\n\nTo test DoS issues please:\n- Make every effort to avoid an actual DoS on our services.\n- Start small.\n- Increase efforts incrementally.\n- As soon as you start to see a degradation in a service you are testing, please stop testing and submit a report.\n\nIf you think you have found an eligible DoS issue, please include the following information in your report:\n- The URL of the page that is vulnerable to DoS\n- The X-Request-ID of the HTTP response that causes the DoS\n- The HTTP request that causes the DoS\n- The HTTP response that is returned by the server after the DoS has been triggered\n- The time it takes for the DoS to be triggered\n\n# Leaked Credentials\nIn alignment with HackerOne’s guidance and terms, Shopify accepts reports of leaked credentials, including Authentication material for Shopify APIs and/or Shopify infrastructure.  Hackers should submit the leaked credentials to the program and should not test their validity beyond authenticating and then immediately deauthenticating - without exercising any functionality.  Likewise, Hackers should not share these credentials beyond their report to the program. \n\n# Known issues\n\nThe following issues or behaviours are by design or otherwise known to Shopify. Submitting a report that falls into this category will result in the report being closed as **Not Applicable**.\n\n**XSS - At Shopify we allow merchants to use HTML in their store descriptions, product descriptions, and other fields. We do not consider this a vulnerability.**\n\nThe following XSS (Cross-Site Scripting) types are explicitly out of scope for this program:\n  - **XSS Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n  - **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n  -  **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n  - **XSS - Shopify Checkout** - Any issue where a store staff member is able to insert javascript in the checkout area of their own store (this includes *.shopifypreview.com).\n  - **XSS - Set Header** -Any issue that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n  - **XSS - Inspect Element/Console** - Any issue that requires the use of the browser's developer tools to execute javascript.\n  - **XSS - Self-XSS** - Any issue without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n\n**CDN - At Shopify we encourage merchants to use our CDN (static.shopify.com, cdn.shopify.com and other storage domains) to host any files they want. We do not consider this a vulnerability because this content runs in a separate context and cannot directly impact our platform.**\n\nThe following CDN (Content Distribution Network) types are explicitly out of scope for this program and will be closed as `Not Applicable`:\n  - **CDN - Arbitrary file upload** - Any issue where a store staff member is able to upload arbitrary files to our CDN.\n  - **CDN - Stored XSS** - Any issue where a store staff member is able to upload arbitrary files to our CDN and execute javascript in the context of a CDN domain. (static.shopify.com and cdn.shopify.com).\n  - **CDN - Sensitive data disclosure** - All files on the Content Delivery Network (cdn.shopify.com) are public by design.\n\n\nThe following CSRF (Cross-Site Request Forgery) types are explicitly out of scope:\n  - CSRF access to modify cart\n  - CSRF for Login or Logout (unless it is chained together with another vulnerability to demonstrate impact)\n\n**Shopify hosted stores - There are a number of commonly reported false positives in Shopify hosted (*.myshopify.com) stores that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n- **Staff access to**:\n  - /admin/settings/shop.json\n  - /admin/settings/account.json\n  - /admin/settings/users.json\n  - /admin/settings/locations.json\n- **Intended Public files**:\n  - payments/config.json\n- **Password reset tokens don’t expire when changing email address**\n- **Email address doesn't require verification on signup**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **User or store name enumeration**\n- **Insecure “Opening Soon” password**\n- **User permission issues in Stocky**\n- **Template sanitization bypasses in Order Printer**\n\n\n**Mobile / PoS - There are a number of commonly reported false positives in the Shopify mobile applications that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n  - **Physical access to the device** Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n  - **Mobile application biometrics bypass**\n  - **Lack of mobile binary protection or SSL pinning**\n  - **Lack of mobile application encryption**\n  - **Issues that can only be exploited on an emulated device**\n  - **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n\n# Potential Ineligible vulnerability types\n\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n- **Open Redirect** - Any issue that allows a user to be redirected to an arbitrary URL without user interaction, unless it is chained together with another vulnerability to demonstrate impact.\n- **HTML Injection in emails** - Any issue that allows a user to inject arbitrary HTML into emails, unless it is chained together with another **eligible** vulnerability to demonstrate impact.\n- **SSRF** - There are several places where a SSRF is technically possible, however, a simple HTTP/DNS interaction is not considered a vulnerability by itself. In most cases, these issues will be closed as **Not Applicable**. We are running instances of a service similar to [SSRF-sheriff](https://github.com/teknogeek/ssrf-sheriff) that we built. You can access the instances at `http://web.ssrf-sheriff.svc.cluster.local` for the purpose of validating SSRF findings.\n- **Race Conditions** - If you've encountered a race condition, please ensure that it exploitable and would gain an attacker access to sensitive information. The following race conditions would **not** be eligible:\n  - Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n\n# Ineligible vulnerability types\n\nThe following vulnerability types are explicitly out of scope for this program and will be closed as `Not Applicable` immediately:\n\n- **Social Engineering** - Any issue that requires social engineering to be exploited, such as phishing, or impersonation of a Shopify employee. This includes contacting the Shopify Support.\n- **Spam / Flooding** - E-Mail flooding, SMS flooding, or any other type of flooding.\n- **Vulnerability Scanner False Positives** - Any issue that is reported by a vulnerability scanner, but is not exploitable by a human.\n- **Enabled GraphQL introspection query** - We highly recommend researchers to utilize it as a valuable resource.\n- Insecure cookie handling for account identifying cookies.\n- Tab nabbing.\n- Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing).\n- CSV / formula injection.\n- Hyperlink injection.\n- Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.\n- Distributed Denial of Service.\n- Content spoofing.\n- Disclosure of server or software version numbers.\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim.\n- Reports related to permitted password strength.\n- Theoretical sub-domain takeovers with no supporting evidence.\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches).\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers.\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit).\n- Reports related to CVV validation during payment. CVV validation rules may differ across markets, and Shopify implements other controls to protect merchants against fraud based attacks.\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n\n## Staff Member Permissions\nShopify has a rich set of granular permissions that we offer in the Shopify admin and the Partners Dashboard. These are documented [here](https://help.shopify.com/en/manual/your-account/staff-accounts/staff-permissions/staff-permissions-descriptions).\n\nThe following are the categories which we consider to have clear CVSS relevance with regards to staff member permissions. If the observed behavior does not fit into these categories, please carefully consider the practical impact of the finding prior to opening a report as it risks being closed as N/A.\n\n- Demonstrates the ability for a staff member to escalate their privileges to one of our _Sensitive Permissions_ (Manage Settings, Manage Payment Settings and Themes).\n  - Valid: Staff member with `orders` permission can perform an action that is normally scoped to `Manage Settings`.\n  - Invalid: Staff member with `Manage Settings` permission can perform an action that is not specifically listed in the public documentation description.\n- Demonstrates a direct financial impact on the Shop (The request made must directly result in the impact).\n  - Valid: Lowering the price of an existing product available on sales channels without the appropriate permission.\n  - Invalid: Adding additional variants of a product at a lower price but without making them available on sales channels.\n- Demonstrates impact on Buyer PII that the staff member isn't already authorized for.\n  - Valid: Staff members having access to read or edit Buyer PII when they aren't authorized to do so.\n  - Invalid: Staff members with the `orders` permission being able read or write basic buyer information.\n\nFor staff permission issues which are not relevant to our bugbounty program, feel free to bring them to the attention of our support team by following the instructions outlined [here](https://github.com/Shopify/bugbounty-resources/blob/master/how_to_report_functional_issues.md).\n\n## Subdomain Takeovers\nReports related to dangling domain records will be evaluated on a case-by-case basis for bounty taking into account several factors, including:\n- The likelihood of a record to be successfully taken over (i.e. can the specific IP that the record points to be readily requisitioned from an owner).\n- The likelihood that traffic would be sent to the specific fully-qualified domain name (FQDN) as part of normal operations.\n- The purpose of the domain if it can be inferred from the record (i.e. test app).\n\nMost of these reports will result in CVSS 0 and, therefore, will be ineligible for a bounty. If you believe you have found a dangling domain record that is likely to be taken over and is likely to receive traffic, please include methodology and evidence in your report.\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We will disqualify you from receiving a reward, and may disqualify you from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-31T13:01:28.545Z"},{"id":3727325,"new_policy":"# TL;DR\nAt Shopify, we take merchant trust and safety very seriously. Our maximum bounty of $200,000 reflects that.\n\nTo participate, you must create an account using a `@wearehackerone.com` email address and only test against accounts you create. Before reporting any issues, please review our list of known issues. We encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\n\nWe pay bounties based on CVSS scores using our CVSS Bounty Calculator (https://shopify.github.io/appsec/cvss_calculator/), and we usually award bounties within a week of triage.\n\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n\n\nIf you need further clarification of the rules or scope of our bug bounty program, please don't hesitate to contact us at bugbounty@shopify.com.\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe value all security researchers and expect mutual respect between our team and participants. We strive to:\n- Reply to all reports within one business day and triage within two business days (if applicable).\n- Be as transparent as possible, answering all inquiries about our report decisions and adding hackers to duplicate HackerOne reports.\n- Award bounties within a week of triage (excluding extenuating circumstances).\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types`, or lacks evidence of a vulnerability.\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. All Shopify developed applications are in scope (https://apps.shopify.com/partners/shopify) for this program.\n\nYou should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a response from the developer within one week. If you do so, please include the following information in your report:\n\n- The name of the app\n- The name of the developer\n- The URL of the app\n- The vulnerability you are reporting\n- The steps to reproduce the vulnerability\n- The impact of the vulnerability\n- The severity of the vulnerability\n\nPlease note that Shopify will not pay a bounty for vulnerabilities in third party apps and the report will be closed as \"Informative\".\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed on [the scope page for this program](https://hackerone.com/shopify/policy_scopes). **Valid vulnerabilities on any domain not explicitly listed in scope may be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\nAs a general rule:\n\n- Reports which do not demonstrate relevant [CVSS](https://shopify.github.io/appsec/cvss_calculator/) impact to Shopify or our Merchants by providing a functional proof of concept will be closed as N/A.\n- We reward researchers based on the scenario that yields the highest overall CVSS score, provided that the scenario is plausible and directly linked to the root issue. In cases where multiple reports share the same root cause, these will be closed as Duplicate.\n- We will only award and triage reports when the root cause is under our control.\n- IDOR eligibility will be evaluated considering the identifier predictability, the data accessed and overall impact on the service.\n- Reports of a vulnerability disclosing sensitive PII will be evaluated on a case by case basis, considering the overall impact on Shopify's merchant data.\n\n# Typical Bounty Amounts\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact and make a change as a result of the report. Bonuses are determined as a percentage (10% of what the bounty is estimated at for an exploitable issue), with a minimum of $500 and a maximum of $5,000.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity`, and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com, admin.shopify.com, shop.app, server.shop.app, partners.shopify.com and *.shopifycs.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, and our mobile applications.\n\n# Google Play Bonus\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Denial of Service\nIn our commitment to maintaining a secure environment, we value your assistance in identifying Denial of Service (DoS) vulnerabilities that meet our specific criteria. Generally:\n- We only consider DoS issues that can be triggered by a single user with a single request.\n- We only consider DoS issues that cause a significant disruption to the **entire* service, not just an individual shop or instance\n- We explicitly do not accept any kind of DDOS (Distributed Denial of Service) issues. \n- Slow requests that eventually complete successfully without rendering the service **unavailable to others** do **not** constitute an availability impact for our program.\n\nTo test DoS issues please:\n- Make every effort to avoid an actual DoS on our services.\n- Start small.\n- Increase efforts incrementally.\n- As soon as you start to see a degradation in a service you are testing, please stop testing and submit a report.\n\nIf you think you have found an eligible DoS issue, please include the following information in your report:\n- The URL of the page that is vulnerable to DoS\n- The X-Request-ID of the HTTP response that causes the DoS\n- The HTTP request that causes the DoS\n- The HTTP response that is returned by the server after the DoS has been triggered\n- The time it takes for the DoS to be triggered\n\n# Known issues\n\nThe following issues or behaviours are by design or otherwise known to Shopify. Submitting a report that falls into this category will result in the report being closed as **Not Applicable**.\n\n**XSS - At Shopify we allow merchants to use HTML in their store descriptions, product descriptions, and other fields. We do not consider this a vulnerability.**\n\nThe following XSS (Cross-Site Scripting) types are explicitly out of scope for this program:\n  - **XSS Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n  - **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n  -  **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n  - **XSS - Shopify Checkout** - Any issue where a store staff member is able to insert javascript in the checkout area of their own store (this includes *.shopifypreview.com).\n  - **XSS - Set Header** -Any issue that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n  - **XSS - Inspect Element/Console** - Any issue that requires the use of the browser's developer tools to execute javascript.\n  - **XSS - Self-XSS** - Any issue without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n\n**CDN - At Shopify we encourage merchants to use our CDN (static.shopify.com, cdn.shopify.com and other storage domains) to host any files they want. We do not consider this a vulnerability because this content runs in a separate context and cannot directly impact our platform.**\n\nThe following CDN (Content Distribution Network) types are explicitly out of scope for this program and will be closed as `Not Applicable`:\n  - **CDN - Arbitrary file upload** - Any issue where a store staff member is able to upload arbitrary files to our CDN.\n  - **CDN - Stored XSS** - Any issue where a store staff member is able to upload arbitrary files to our CDN and execute javascript in the context of a CDN domain. (static.shopify.com and cdn.shopify.com).\n  - **CDN - Sensitive data disclosure** - All files on the Content Delivery Network (cdn.shopify.com) are public by design.\n\n\nThe following CSRF (Cross-Site Request Forgery) types are explicitly out of scope:\n  - CSRF access to modify cart\n  - CSRF for Login or Logout (unless it is chained together with another vulnerability to demonstrate impact)\n\n**Shopify hosted stores - There are a number of commonly reported false positives in Shopify hosted (*.myshopify.com) stores that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n- **Staff access to**:\n  - /admin/settings/shop.json\n  - /admin/settings/account.json\n  - /admin/settings/users.json\n  - /admin/settings/locations.json\n- **Intended Public files**:\n  - payments/config.json\n- **Password reset tokens don’t expire when changing email address**\n- **Email address doesn't require verification on signup**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **User or store name enumeration**\n- **Insecure “Opening Soon” password**\n- **User permission issues in Stocky**\n- **Template sanitization bypasses in Order Printer**\n\n\n**Mobile / PoS - There are a number of commonly reported false positives in the Shopify mobile applications that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n  - **Physical access to the device** Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n  - **Mobile application biometrics bypass**\n  - **Lack of mobile binary protection or SSL pinning**\n  - **Lack of mobile application encryption**\n  - **Issues that can only be exploited on an emulated device**\n  - **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n\n# Potential Ineligible vulnerability types\n\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n- **Open Redirect** - Any issue that allows a user to be redirected to an arbitrary URL without user interaction, unless it is chained together with another vulnerability to demonstrate impact.\n- **HTML Injection in emails** - Any issue that allows a user to inject arbitrary HTML into emails, unless it is chained together with another **eligible** vulnerability to demonstrate impact.\n- **SSRF** - There are several places where a SSRF is technically possible, however, a simple HTTP/DNS interaction is not considered a vulnerability by itself. In most cases, these issues will be closed as **Not Applicable**. We are running instances of a service similar to [SSRF-sheriff](https://github.com/teknogeek/ssrf-sheriff) that we built. You can access the instances at `http://web.ssrf-sheriff.svc.cluster.local` for the purpose of validating SSRF findings.\n- **Race Conditions** - If you've encountered a race condition, please ensure that it exploitable and would gain an attacker access to sensitive information. The following race conditions would **not** be eligible:\n  - Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n\n# Ineligible vulnerability types\n\nThe following vulnerability types are explicitly out of scope for this program and will be closed as `Not Applicable` immediately:\n\n- **Social Engineering** - Any issue that requires social engineering to be exploited, such as phishing, or impersonation of a Shopify employee. This includes contacting the Shopify Support.\n- **Spam / Flooding** - E-Mail flooding, SMS flooding, or any other type of flooding.\n- **Vulnerability Scanner False Positives** - Any issue that is reported by a vulnerability scanner, but is not exploitable by a human.\n- **Enabled GraphQL introspection query** - We highly recommend researchers to utilize it as a valuable resource.\n- Insecure cookie handling for account identifying cookies.\n- Tab nabbing.\n- Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing).\n- CSV / formula injection.\n- Hyperlink injection.\n- Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.\n- Distributed Denial of Service.\n- Content spoofing.\n- Disclosure of server or software version numbers.\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim.\n- Reports related to permitted password strength.\n- Theoretical sub-domain takeovers with no supporting evidence.\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches).\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers.\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit).\n- Reports related to CVV validation during payment. CVV validation rules may differ across markets, and Shopify implements other controls to protect merchants against fraud based attacks.\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n\n## Staff Member Permissions\nShopify has a rich set of granular permissions that we offer in the Shopify admin and the Partners Dashboard. These are documented [here](https://help.shopify.com/en/manual/your-account/staff-accounts/staff-permissions/staff-permissions-descriptions).\n\nThe following are the categories which we consider to have clear CVSS relevance with regards to staff member permissions. If the observed behavior does not fit into these categories, please carefully consider the practical impact of the finding prior to opening a report as it risks being closed as N/A.\n\n- Demonstrates the ability for a staff member to escalate their privileges to one of our _Sensitive Permissions_ (Manage Settings, Manage Payment Settings and Themes).\n  - Valid: Staff member with `orders` permission can perform an action that is normally scoped to `Manage Settings`.\n  - Invalid: Staff member with `Manage Settings` permission can perform an action that is not specifically listed in the public documentation description.\n- Demonstrates a direct financial impact on the Shop (The request made must directly result in the impact).\n  - Valid: Lowering the price of an existing product available on sales channels without the appropriate permission.\n  - Invalid: Adding additional variants of a product at a lower price but without making them available on sales channels.\n- Demonstrates impact on Buyer PII that the staff member isn't already authorized for.\n  - Valid: Staff members having access to read or edit Buyer PII when they aren't authorized to do so.\n  - Invalid: Staff members with the `orders` permission being able read or write basic buyer information.\n\nFor staff permission issues which are not relevant to our bugbounty program, feel free to bring them to the attention of our support team by following the instructions outlined [here](https://github.com/Shopify/bugbounty-resources/blob/master/how_to_report_functional_issues.md).\n\n## Subdomain Takeovers\nReports related to dangling domain records will be evaluated on a case-by-case basis for bounty taking into account several factors, including:\n- The likelihood of a record to be successfully taken over (i.e. can the specific IP that the record points to be readily requisitioned from an owner).\n- The likelihood that traffic would be sent to the specific fully-qualified domain name (FQDN) as part of normal operations.\n- The purpose of the domain if it can be inferred from the record (i.e. test app).\n\nMost of these reports will result in CVSS 0 and, therefore, will be ineligible for a bounty. If you believe you have found a dangling domain record that is likely to be taken over and is likely to receive traffic, please include methodology and evidence in your report.\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We will disqualify you from receiving a reward, and may disqualify you from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-23T19:28:05.927Z"},{"id":3724055,"new_policy":"# TL;DR\nAt Shopify, we take merchant trust and safety very seriously. Our maximum bounty of $200,000 reflects that.\n\nTo participate, you must create an account using a `@wearehackerone.com` email address and only test against accounts you create. Before reporting any issues, please review our list of known issues. We encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\n\nWe pay bounties based on CVSS scores using our CVSS Bounty Calculator (https://shopify.github.io/appsec/cvss_calculator/), and we usually award bounties within a week of triage.\n\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n\n\nIf you need further clarification of the rules or scope of our bug bounty program, please don't hesitate to contact us at bugbounty@shopify.com.\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe value all security researchers and expect mutual respect between our team and participants. We strive to:\n- Reply to all reports within one business day and triage within two business days (if applicable).\n- Be as transparent as possible, answering all inquiries about our report decisions and adding hackers to duplicate HackerOne reports.\n- Award bounties within a week of triage (excluding extenuating circumstances).\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types`, or lacks evidence of a vulnerability.\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. All Shopify developed applications are in scope (https://apps.shopify.com/partners/shopify) for this program.\n\nYou should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a response from the developer within one week. If you do so, please include the following information in your report:\n\n- The name of the app\n- The name of the developer\n- The URL of the app\n- The vulnerability you are reporting\n- The steps to reproduce the vulnerability\n- The impact of the vulnerability\n- The severity of the vulnerability\n\nPlease note that Shopify will not pay a bounty for vulnerabilities in third party apps and the report will be closed as \"Informative\".\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed on [the scope page for this program](https://hackerone.com/shopify/policy_scopes). **Valid vulnerabilities on any domain not explicitly listed in scope may be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\nAs a general rule:\n\n- We reward researchers based on the scenario that yields the highest overall CVSS score, provided that the scenario is plausible and directly linked to the root issue. In cases where multiple reports share the same root cause, these will be closed as Duplicate.\n- We will only award and triage reports when the root cause is under our control.\n- IDOR eligibility will be evaluated considering the identifier predictability, the data accessed and overall impact on the service.\n- Reports of a vulnerability disclosing sensitive PII will be evaluated on a case by case basis, considering the overall impact on Shopify's merchant data.\n\n# Typical Bounty Amounts\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact and make a change as a result of the report. Bonuses are determined as a percentage (10% of what the bounty is estimated at for an exploitable issue), with a minimum of $500 and a maximum of $5,000.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity`, and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com, admin.shopify.com, shop.app, server.shop.app, partners.shopify.com and *.shopifycs.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, and our mobile applications.\n\n# Google Play Bonus\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Denial of Service\nIn our commitment to maintaining a secure environment, we value your assistance in identifying Denial of Service (DoS) vulnerabilities that meet our specific criteria. Generally:\n- We only consider DoS issues that can be triggered by a single user with a single request.\n- We only consider DoS issues that cause a significant disruption to the **entire* service, not just an individual shop or instance\n- We explicitly do not accept any kind of DDOS (Distributed Denial of Service) issues. \n- Slow requests that eventually complete successfully without rendering the service **unavailable to others** do **not** constitute an availability impact for our program.\n\nTo test DoS issues please:\n- Make every effort to avoid an actual DoS on our services.\n- Start small.\n- Increase efforts incrementally.\n- As soon as you start to see a degradation in a service you are testing, please stop testing and submit a report.\n\nIf you think you have found an eligible DoS issue, please include the following information in your report:\n- The URL of the page that is vulnerable to DoS\n- The X-Request-ID of the HTTP response that causes the DoS\n- The HTTP request that causes the DoS\n- The HTTP response that is returned by the server after the DoS has been triggered\n- The time it takes for the DoS to be triggered\n\n# Known issues\n\nThe following issues or behaviours are by design or otherwise known to Shopify. Submitting a report that falls into this category will result in the report being closed as **Not Applicable**.\n\n**XSS - At Shopify we allow merchants to use HTML in their store descriptions, product descriptions, and other fields. We do not consider this a vulnerability.**\n\nThe following XSS (Cross-Site Scripting) types are explicitly out of scope for this program:\n  - **XSS Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n  - **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n  -  **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n  - **XSS - Shopify Checkout** - Any issue where a store staff member is able to insert javascript in the checkout area of their own store (this includes *.shopifypreview.com).\n  - **XSS - Set Header** -Any issue that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n  - **XSS - Inspect Element/Console** - Any issue that requires the use of the browser's developer tools to execute javascript.\n  - **XSS - Self-XSS** - Any issue without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n\n**CDN - At Shopify we encourage merchants to use our CDN (static.shopify.com, cdn.shopify.com and other storage domains) to host any files they want. We do not consider this a vulnerability because this content runs in a separate context and cannot directly impact our platform.**\n\nThe following CDN (Content Distribution Network) types are explicitly out of scope for this program and will be closed as `Not Applicable`:\n  - **CDN - Arbitrary file upload** - Any issue where a store staff member is able to upload arbitrary files to our CDN.\n  - **CDN - Stored XSS** - Any issue where a store staff member is able to upload arbitrary files to our CDN and execute javascript in the context of a CDN domain. (static.shopify.com and cdn.shopify.com).\n  - **CDN - Sensitive data disclosure** - All files on the Content Delivery Network (cdn.shopify.com) are public by design.\n\n\nThe following CSRF (Cross-Site Request Forgery) types are explicitly out of scope:\n  - CSRF access to modify cart\n  - CSRF for Login or Logout (unless it is chained together with another vulnerability to demonstrate impact)\n\n**Shopify hosted stores - There are a number of commonly reported false positives in Shopify hosted (*.myshopify.com) stores that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n- **Staff access to**:\n  - /admin/settings/shop.json\n  - /admin/settings/account.json\n  - /admin/settings/users.json\n  - /admin/settings/locations.json\n- **Intended Public files**:\n  - payments/config.json\n- **Password reset tokens don’t expire when changing email address**\n- **Email address doesn't require verification on signup**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **User or store name enumeration**\n- **Insecure “Opening Soon” password**\n- **User permission issues in Stocky**\n- **Template sanitization bypasses in Order Printer**\n\n\n**Mobile / PoS - There are a number of commonly reported false positives in the Shopify mobile applications that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n  - **Physical access to the device** Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n  - **Mobile application biometrics bypass**\n  - **Lack of mobile binary protection or SSL pinning**\n  - **Lack of mobile application encryption**\n  - **Issues that can only be exploited on an emulated device**\n  - **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n\n# Potential Ineligible vulnerability types\n\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n- **Open Redirect** - Any issue that allows a user to be redirected to an arbitrary URL without user interaction, unless it is chained together with another vulnerability to demonstrate impact.\n- **HTML Injection in emails** - Any issue that allows a user to inject arbitrary HTML into emails, unless it is chained together with another **eligible** vulnerability to demonstrate impact.\n- **SSRF** - There are several places where a SSRF is technically possible, however, a simple HTTP/DNS interaction is not considered a vulnerability by itself. In most cases, these issues will be closed as **Not Applicable**. We are running instances of a service similar to [SSRF-sheriff](https://github.com/teknogeek/ssrf-sheriff) that we built. You can access the instances at `http://web.ssrf-sheriff.svc.cluster.local` for the purpose of validating SSRF findings.\n- **Race Conditions** - If you've encountered a race condition, please ensure that it exploitable and would gain an attacker access to sensitive information. The following race conditions would **not** be eligible:\n  - Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n\n# Ineligible vulnerability types\n\nThe following vulnerability types are explicitly out of scope for this program and will be closed as `Not Applicable` immediately:\n\n- **Social Engineering** - Any issue that requires social engineering to be exploited, such as phishing, or impersonation of a Shopify employee. This includes contacting the Shopify Support.\n- **Spam / Flooding** - E-Mail flooding, SMS flooding, or any other type of flooding.\n- **Vulnerability Scanner False Positives** - Any issue that is reported by a vulnerability scanner, but is not exploitable by a human.\n- **Enabled GraphQL introspection query** - We highly recommend researchers to utilize it as a valuable resource.\n- Insecure cookie handling for account identifying cookies.\n- Tab nabbing.\n- Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing).\n- CSV / formula injection.\n- Hyperlink injection.\n- Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.\n- Distributed Denial of Service.\n- Content spoofing.\n- Disclosure of server or software version numbers.\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim.\n- Reports related to permitted password strength.\n- Theoretical sub-domain takeovers with no supporting evidence.\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches).\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers.\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit).\n- Reports related to CVV validation during payment. CVV validation rules may differ across markets, and Shopify implements other controls to protect merchants against fraud based attacks.\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n\n## Staff Member Permissions\nShopify has a rich set of granular permissions that we offer in the Shopify admin and the Partners Dashboard. These are documented [here](https://help.shopify.com/en/manual/your-account/staff-accounts/staff-permissions/staff-permissions-descriptions).\n\nThe following are the categories which we consider to have clear CVSS relevance with regards to staff member permissions. If the observed behavior does not fit into these categories, please carefully consider the practical impact of the finding prior to opening a report as it risks being closed as N/A.\n\n- Demonstrates the ability for a staff member to escalate their privileges to one of our _Sensitive Permissions_ (Manage Settings, Manage Payment Settings and Themes).\n  - Valid: Staff member with `orders` permission can perform an action that is normally scoped to `Manage Settings`.\n  - Invalid: Staff member with `Manage Settings` permission can perform an action that is not specifically listed in the public documentation description.\n- Demonstrates a direct financial impact on the Shop (The request made must directly result in the impact).\n  - Valid: Lowering the price of an existing product available on sales channels without the appropriate permission.\n  - Invalid: Adding additional variants of a product at a lower price but without making them available on sales channels.\n- Demonstrates impact on Buyer PII that the staff member isn't already authorized for.\n  - Valid: Staff members having access to read or edit Buyer PII when they aren't authorized to do so.\n  - Invalid: Staff members with the `orders` permission being able read or write basic buyer information.\n\nFor staff permission issues which are not relevant to our bugbounty program, feel free to bring them to the attention of our support team by following the instructions outlined [here](https://github.com/Shopify/bugbounty-resources/blob/master/how_to_report_functional_issues.md).\n\n## Subdomain Takeovers\nReports related to dangling domain records will be evaluated on a case-by-case basis for bounty taking into account several factors, including:\n- The likelihood of a record to be successfully taken over (i.e. can the specific IP that the record points to be readily requisitioned from an owner).\n- The likelihood that traffic would be sent to the specific fully-qualified domain name (FQDN) as part of normal operations.\n- The purpose of the domain if it can be inferred from the record (i.e. test app).\n\nMost of these reports will result in CVSS 0 and, therefore, will be ineligible for a bounty. If you believe you have found a dangling domain record that is likely to be taken over and is likely to receive traffic, please include methodology and evidence in your report.\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We will disqualify you from receiving a reward, and may disqualify you from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-23T22:17:42.616Z"},{"id":3714044,"new_policy":"# TL;DR\nAt Shopify, we take merchant trust and safety very seriously. Our maximum bounty of $200,000 reflects that.\n\nTo participate, you must create an account using a `@wearehackerone.com` email address and only test against accounts you create. Before reporting any issues, please review our list of known issues. We encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\n\nWe pay bounties based on CVSS scores using our CVSS Bounty Calculator (https://shopify.github.io/appsec/cvss_calculator/), and we usually award bounties within a week of triage.\n\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n\n\nIf you need further clarification of the rules or scope of our bug bounty program, please don't hesitate to contact us at bugbounty@shopify.com.\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe value all security researchers and expect mutual respect between our team and participants. We strive to:\n- Reply to all reports within one business day and triage within two business days (if applicable).\n- Be as transparent as possible, answering all inquiries about our report decisions and adding hackers to duplicate HackerOne reports.\n- Award bounties within a week of triage (excluding extenuating circumstances).\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types`, or lacks evidence of a vulnerability.\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. All Shopify developed applications are in scope (https://apps.shopify.com/partners/shopify) for this program.\n\nYou should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a response from the developer within one week. If you do so, please include the following information in your report:\n\n- The name of the app\n- The name of the developer\n- The URL of the app\n- The vulnerability you are reporting\n- The steps to reproduce the vulnerability\n- The impact of the vulnerability\n- The severity of the vulnerability\n\nPlease note that Shopify will not pay a bounty for vulnerabilities in third party apps and the report will be closed as \"Informative\".\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed on [the scope page for this program](https://hackerone.com/shopify/policy_scopes). **Valid vulnerabilities on any domain not explicitly listed in scope may be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\n# Typical Bounty Amounts\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact and make a change as a result of the report. Bonuses are determined as a percentage (10% of what the bounty is estimated at for an exploitable issue), with a minimum of $500 and a maximum of $5,000.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity`, and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com, admin.shopify.com, shop.app, server.shop.app, partners.shopify.com and *.shopifycs.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, and our mobile applications.\n\n# Google Play Bonus\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Denial of Service\nIn our commitment to maintaining a secure environment, we value your assistance in identifying Denial of Service (DoS) vulnerabilities that meet our specific criteria. Generally:\n- We only consider DoS issues that can be triggered by a single user with a single request.\n- We only consider DoS issues that cause a significant disruption to the **entire* service, not just an individual shop or instance\n- We explicitly do not accept any kind of DDOS (Distributed Denial of Service) issues. \n- Slow requests that eventually complete successfully without rendering the service **unavailable to others** do **not** constitute an availability impact for our program.\n\nTo test DoS issues please:\n- Make every effort to avoid an actual DoS on our services.\n- Start small.\n- Increase efforts incrementally.\n- As soon as you start to see a degradation in a service you are testing, please stop testing and submit a report.\n\nIf you think you have found an eligible DoS issue, please include the following information in your report:\n- The URL of the page that is vulnerable to DoS\n- The X-Request-ID of the HTTP response that causes the DoS\n- The HTTP request that causes the DoS\n- The HTTP response that is returned by the server after the DoS has been triggered\n- The time it takes for the DoS to be triggered\n\n# Known issues\n\nThe following issues or behaviours are by design or otherwise known to Shopify. Submitting a report that falls into this category will result in the report being closed as **Not Applicable**.\n\n**XSS - At Shopify we allow merchants to use HTML in their store descriptions, product descriptions, and other fields. We do not consider this a vulnerability.**\n\nThe following XSS (Cross-Site Scripting) types are explicitly out of scope for this program:\n  - **XSS Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n  - **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n  -  **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n  - **XSS - Shopify Checkout** - Any issue where a store staff member is able to insert javascript in the checkout area of their own store (this includes *.shopifypreview.com).\n  - **XSS - Set Header** -Any issue that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n  - **XSS - Inspect Element/Console** - Any issue that requires the use of the browser's developer tools to execute javascript.\n  - **XSS - Self-XSS** - Any issue without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n\n**CDN - At Shopify we encourage merchants to use our CDN (static.shopify.com, cdn.shopify.com and other storage domains) to host any files they want. We do not consider this a vulnerability because this content runs in a separate context and cannot directly impact our platform.**\n\nThe following CDN (Content Distribution Network) types are explicitly out of scope for this program and will be closed as `Not Applicable`:\n  - **CDN - Arbitrary file upload** - Any issue where a store staff member is able to upload arbitrary files to our CDN.\n  - **CDN - Stored XSS** - Any issue where a store staff member is able to upload arbitrary files to our CDN and execute javascript in the context of a CDN domain. (static.shopify.com and cdn.shopify.com).\n  - **CDN - Sensitive data disclosure** - All files on the Content Delivery Network (cdn.shopify.com) are public by design.\n\n\nThe following CSRF (Cross-Site Request Forgery) types are explicitly out of scope:\n  - CSRF access to modify cart\n  - CSRF for Login or Logout (unless it is chained together with another vulnerability to demonstrate impact)\n\n**Shopify hosted stores - There are a number of commonly reported false positives in Shopify hosted (*.myshopify.com) stores that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n- **Staff access to**:\n  - /admin/settings/shop.json\n  - /admin/settings/account.json\n  - /admin/settings/users.json\n  - /admin/settings/locations.json\n- **Intended Public files**:\n  - payments/config.json\n- **Password reset tokens don’t expire when changing email address**\n- **Email address doesn't require verification on signup**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **User or store name enumeration**\n- **Insecure “Opening Soon” password**\n- **User permission issues in Stocky**\n- **Template sanitization bypasses in Order Printer**\n\n\n**Mobile / PoS - There are a number of commonly reported false positives in the Shopify mobile applications that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n  - **Physical access to the device** Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n  - **Mobile application biometrics bypass**\n  - **Lack of mobile binary protection or SSL pinning**\n  - **Lack of mobile application encryption**\n  - **Issues that can only be exploited on an emulated device**\n  - **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n\n# Potential Ineligible vulnerability types\n\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n- **Open Redirect** - Any issue that allows a user to be redirected to an arbitrary URL without user interaction, unless it is chained together with another vulnerability to demonstrate impact.\n- **HTML Injection in emails** - Any issue that allows a user to inject arbitrary HTML into emails, unless it is chained together with another **eligible** vulnerability to demonstrate impact.\n- **SSRF** - There are several places where a SSRF is technically possible, however, a simple HTTP/DNS interaction is not considered a vulnerability by itself. In most cases, these issues will be closed as **Not Applicable**. We are running instances of a service similar to [SSRF-sheriff](https://github.com/teknogeek/ssrf-sheriff) that we built. You can access the instances at `http://web.ssrf-sheriff.svc.cluster.local` for the purpose of validating SSRF findings.\n- **Race Conditions** - If you've encountered a race condition, please ensure that it exploitable and would gain an attacker access to sensitive information. The following race conditions would **not** be eligible:\n  - Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n\n# Ineligible vulnerability types\n\nThe following vulnerability types are explicitly out of scope for this program and will be closed as `Not Applicable` immediately:\n\n- **Social Engineering** - Any issue that requires social engineering to be exploited, such as phishing, or impersonation of a Shopify employee. This includes contacting the Shopify Support.\n- **Spam / Flooding** - E-Mail flooding, SMS flooding, or any other type of flooding.\n- **Vulnerability Scanner False Positives** - Any issue that is reported by a vulnerability scanner, but is not exploitable by a human.\n- **Enabled GraphQL introspection query** - We highly recommend researchers to utilize it as a valuable resource.\n- Insecure cookie handling for account identifying cookies.\n- Tab nabbing.\n- Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing).\n- CSV / formula injection.\n- Hyperlink injection.\n- Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.\n- Distributed Denial of Service.\n- Content spoofing.\n- Disclosure of server or software version numbers.\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim.\n- Reports related to permitted password strength.\n- Theoretical sub-domain takeovers with no supporting evidence.\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches).\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers.\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit).\n- Reports related to CVV validation during payment. CVV validation rules may differ across markets, and Shopify implements other controls to protect merchants against fraud based attacks.\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n\n## Staff Member Permissions\nShopify has a rich set of granular permissions that we offer in the Shopify admin and the Partners Dashboard. These are documented [here](https://help.shopify.com/en/manual/your-account/staff-accounts/staff-permissions/staff-permissions-descriptions).\n\nThe following are the categories which we consider to have clear CVSS relevance with regards to staff member permissions. If the observed behavior does not fit into these categories, please carefully consider the practical impact of the finding prior to opening a report as it risks being closed as N/A.\n\n- Demonstrates the ability for a staff member to escalate their privileges to one of our _Sensitive Permissions_ (Manage Settings, Manage Payment Settings and Themes).\n  - Valid: Staff member with `orders` permission can perform an action that is normally scoped to `Manage Settings`.\n  - Invalid: Staff member with `Manage Settings` permission can perform an action that is not specifically listed in the public documentation description.\n- Demonstrates a direct financial impact on the Shop (The request made must directly result in the impact).\n  - Valid: Lowering the price of an existing product available on sales channels without the appropriate permission.\n  - Invalid: Adding additional variants of a product at a lower price but without making them available on sales channels.\n- Demonstrates impact on Buyer PII that the staff member isn't already authorized for.\n  - Valid: Staff members having access to read or edit Buyer PII when they aren't authorized to do so.\n  - Invalid: Staff members with the `orders` permission being able read or write basic buyer information.\n\nFor staff permission issues which are not relevant to our bugbounty program, feel free to bring them to the attention of our support team by following the instructions outlined [here](https://github.com/Shopify/bugbounty-resources/blob/master/how_to_report_functional_issues.md).\n\n## Subdomain Takeovers\nReports related to dangling domain records will be evaluated on a case-by-case basis for bounty taking into account several factors, including:\n- The likelihood of a record to be successfully taken over (i.e. can the specific IP that the record points to be readily requisitioned from an owner).\n- The likelihood that traffic would be sent to the specific fully-qualified domain name (FQDN) as part of normal operations.\n- The purpose of the domain if it can be inferred from the record (i.e. test app).\n\nMost of these reports will result in CVSS 0 and, therefore, will be ineligible for a bounty. If you believe you have found a dangling domain record that is likely to be taken over and is likely to receive traffic, please include methodology and evidence in your report.\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We will disqualify you from receiving a reward, and may disqualify you from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-12T18:42:19.255Z"},{"id":3713266,"new_policy":"# TL;DR\nAt Shopify, we take merchant trust and safety very seriously. Our maximum bounty of $200,000 reflects that.\n\nTo participate, you must create an account using a `@wearehackerone.com` email address and only test against accounts you create. Before reporting any issues, please review our list of known issues. We encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\n\nWe pay bounties based on CVSS scores using our CVSS Bounty Calculator (https://shopify.github.io/appsec/cvss_calculator/), and we usually award bounties within a week of triage.\n\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n\n\nIf you need further clarification of the rules or scope of our bug bounty program, please don't hesitate to contact us at bugbounty@shopify.com.\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe value all security researchers and expect mutual respect between our team and participants. We strive to:\n- Reply to all reports within one business day and triage within two business days (if applicable).\n- Be as transparent as possible, answering all inquiries about our report decisions and adding hackers to duplicate HackerOne reports.\n- Award bounties within a week of triage (excluding extenuating circumstances).\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types`, or lacks evidence of a vulnerability.\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. All Shopify developed applications are in scope (https://apps.shopify.com/partners/shopify) for this program.\n\nYou should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a response from the developer within one week. If you do so, please include the following information in your report:\n\n- The name of the app\n- The name of the developer\n- The URL of the app\n- The vulnerability you are reporting\n- The steps to reproduce the vulnerability\n- The impact of the vulnerability\n- The severity of the vulnerability\n\nPlease note that Shopify will not pay a bounty for vulnerabilities in third party apps and the report will be closed as \"Informative\".\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed on [the scope page for this program](https://hackerone.com/shopify/policy_scopes). **Valid vulnerabilities on any domain not explicitly listed in scope may be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\n# Typical Bounty Amounts\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact and make a change as a result of the report. Bonuses are determined as a percentage (10% of what the bounty is estimated at for an exploitable issue), with a minimum of $500 and a maximum of $5,000.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity`, and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com, admin.shopify.com, shop.app, server.shop.app, partners.shopify.com and *.shopifycs.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, and our mobile applications.\n\n# Google Play Bonus\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Denial of Service\nIn our commitment to maintaining a secure environment, we value your assistance in identifying Denial of Service (DoS) vulnerabilities that meet our specific criteria. Generally:\n- We only consider DoS issues that can be triggered by a single user with a single request.\n- We only consider DoS issues that cause a significant disruption to the **entire* service, not just an individual shop or instance\n- We explicitly do not accept any kind of DDOS (Distributed Denial of Service) issues. \n- Slow requests that eventually complete successfully without rendering the service unavailable do **not** constitute an availability impact for our program \n\nIf you think you have found an eligible DoS issue, please include the following information in your report:\n- The URL of the page that is vulnerable to DoS\n- The X-Request-ID of the HTTP response that causes the DoS\n- The HTTP request that causes the DoS\n- The HTTP response that is returned by the server after the DoS has been triggered\n- The time it takes for the DoS to be triggered\n\n# Known issues\n\nThe following issues or behaviours are by design or otherwise known to Shopify. Submitting a report that falls into this category will result in the report being closed as **Not Applicable**.\n\n**XSS - At Shopify we allow merchants to use HTML in their store descriptions, product descriptions, and other fields. We do not consider this a vulnerability.**\n\nThe following XSS (Cross-Site Scripting) types are explicitly out of scope for this program:\n  - **XSS Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n  - **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n  -  **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n  - **XSS - Shopify Checkout** - Any issue where a store staff member is able to insert javascript in the checkout area of their own store (this includes *.shopifypreview.com).\n  - **XSS - Set Header** -Any issue that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n  - **XSS - Inspect Element/Console** - Any issue that requires the use of the browser's developer tools to execute javascript.\n  - **XSS - Self-XSS** - Any issue without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n\n**CDN - At Shopify we encourage merchants to use our CDN (static.shopify.com, cdn.shopify.com and other storage domains) to host any files they want. We do not consider this a vulnerability because this content runs in a separate context and cannot directly impact our platform.**\n\nThe following CDN (Content Distribution Network) types are explicitly out of scope for this program and will be closed as `Not Applicable`:\n  - **CDN - Arbitrary file upload** - Any issue where a store staff member is able to upload arbitrary files to our CDN.\n  - **CDN - Stored XSS** - Any issue where a store staff member is able to upload arbitrary files to our CDN and execute javascript in the context of a CDN domain. (static.shopify.com and cdn.shopify.com).\n  - **CDN - Sensitive data disclosure** - All files on the Content Delivery Network (cdn.shopify.com) are public by design.\n\n\nThe following CSRF (Cross-Site Request Forgery) types are explicitly out of scope:\n  - CSRF access to modify cart\n  - CSRF for Login or Logout (unless it is chained together with another vulnerability to demonstrate impact)\n\n**Shopify hosted stores - There are a number of commonly reported false positives in Shopify hosted (*.myshopify.com) stores that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n- **Staff access to**:\n  - /admin/settings/shop.json\n  - /admin/settings/account.json\n  - /admin/settings/users.json\n  - /admin/settings/locations.json\n- **Intended Public files**:\n  - payments/config.json\n- **Password reset tokens don’t expire when changing email address**\n- **Email address doesn't require verification on signup**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **User or store name enumeration**\n- **Insecure “Opening Soon” password**\n- **User permission issues in Stocky**\n- **Template sanitization bypasses in Order Printer**\n\n\n**Mobile / PoS - There are a number of commonly reported false positives in the Shopify mobile applications that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n  - **Physical access to the device** Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n  - **Mobile application biometrics bypass**\n  - **Lack of mobile binary protection or SSL pinning**\n  - **Lack of mobile application encryption**\n  - **Issues that can only be exploited on an emulated device**\n  - **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n\n# Potential Ineligible vulnerability types\n\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n- **Open Redirect** - Any issue that allows a user to be redirected to an arbitrary URL without user interaction, unless it is chained together with another vulnerability to demonstrate impact.\n- **HTML Injection in emails** - Any issue that allows a user to inject arbitrary HTML into emails, unless it is chained together with another **eligible** vulnerability to demonstrate impact.\n- **SSRF** - There are several places where a SSRF is technically possible, however, a simple HTTP/DNS interaction is not considered a vulnerability by itself. In most cases, these issues will be closed as **Not Applicable**. We are running instances of a service similar to [SSRF-sheriff](https://github.com/teknogeek/ssrf-sheriff) that we built. You can access the instances at `http://web.ssrf-sheriff.svc.cluster.local` for the purpose of validating SSRF findings.\n- **Race Conditions** - If you've encountered a race condition, please ensure that it exploitable and would gain an attacker access to sensitive information. The following race conditions would **not** be eligible:\n  - Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n\n# Ineligible vulnerability types\n\nThe following vulnerability types are explicitly out of scope for this program and will be closed as `Not Applicable` immediately:\n\n- **Social Engineering** - Any issue that requires social engineering to be exploited, such as phishing, or impersonation of a Shopify employee. This includes contacting the Shopify Support.\n- **Spam / Flooding** - E-Mail flooding, SMS flooding, or any other type of flooding.\n- **Vulnerability Scanner False Positives** - Any issue that is reported by a vulnerability scanner, but is not exploitable by a human.\n- **Enabled GraphQL introspection query** - We highly recommend researchers to utilize it as a valuable resource.\n- Insecure cookie handling for account identifying cookies.\n- Tab nabbing.\n- Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing).\n- CSV / formula injection.\n- Hyperlink injection.\n- Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.\n- Distributed Denial of Service.\n- Content spoofing.\n- Disclosure of server or software version numbers.\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim.\n- Reports related to permitted password strength.\n- Theoretical sub-domain takeovers with no supporting evidence.\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches).\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers.\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit).\n- Reports related to CVV validation during payment. CVV validation rules may differ across markets, and Shopify implements other controls to protect merchants against fraud based attacks.\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n\n## Staff Member Permissions\nShopify has a rich set of granular permissions that we offer in the Shopify admin and the Partners Dashboard. These are documented [here](https://help.shopify.com/en/manual/your-account/staff-accounts/staff-permissions/staff-permissions-descriptions).\n\nThe following are the categories which we consider to have clear CVSS relevance with regards to staff member permissions. If the observed behavior does not fit into these categories, please carefully consider the practical impact of the finding prior to opening a report as it risks being closed as N/A.\n\n- Demonstrates the ability for a staff member to escalate their privileges to one of our _Sensitive Permissions_ (Manage Settings, Manage Payment Settings and Themes).\n  - Valid: Staff member with `orders` permission can perform an action that is normally scoped to `Manage Settings`.\n  - Invalid: Staff member with `Manage Settings` permission can perform an action that is not specifically listed in the public documentation description.\n- Demonstrates a direct financial impact on the Shop (The request made must directly result in the impact).\n  - Valid: Lowering the price of an existing product available on sales channels without the appropriate permission.\n  - Invalid: Adding additional variants of a product at a lower price but without making them available on sales channels.\n- Demonstrates impact on Buyer PII that the staff member isn't already authorized for.\n  - Valid: Staff members having access to read or edit Buyer PII when they aren't authorized to do so.\n  - Invalid: Staff members with the `orders` permission being able read or write basic buyer information.\n\nFor staff permission issues which are not relevant to our bugbounty program, feel free to bring them to the attention of our support team by following the instructions outlined [here](https://github.com/Shopify/bugbounty-resources/blob/master/how_to_report_functional_issues.md).\n\n## Subdomain Takeovers\nReports related to dangling domain records will be evaluated on a case-by-case basis for bounty taking into account several factors, including:\n- The likelihood of a record to be successfully taken over (i.e. can the specific IP that the record points to be readily requisitioned from an owner).\n- The likelihood that traffic would be sent to the specific fully-qualified domain name (FQDN) as part of normal operations.\n- The purpose of the domain if it can be inferred from the record (i.e. test app).\n\nMost of these reports will result in CVSS 0 and, therefore, will be ineligible for a bounty. If you believe you have found a dangling domain record that is likely to be taken over and is likely to receive traffic, please include methodology and evidence in your report.\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We will disqualify you from receiving a reward, and may disqualify you from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-02-26T14:31:32.738Z"},{"id":3713046,"new_policy":"# TL;DR\nAt Shopify, we take merchant trust and safety very seriously. Our maximum bounty of $200,000 reflects that.\n\nTo participate, you must create an account using a `@wearehackerone.com` email address and only test against accounts you create. Before reporting any issues, please review our list of known issues. We encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\n\nWe pay bounties based on CVSS scores using our CVSS Bounty Calculator (https://shopify.github.io/appsec/cvss_calculator/), and we usually award bounties within a week of triage.\n\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n\n\nIf you need further clarification of the rules or scope of our bug bounty program, please don't hesitate to contact us at bugbounty@shopify.com.\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe value all security researchers and expect mutual respect between our team and participants. We strive to:\n- Reply to all reports within one business day and triage within two business days (if applicable).\n- Be as transparent as possible, answering all inquiries about our report decisions and adding hackers to duplicate HackerOne reports.\n- Award bounties within a week of triage (excluding extenuating circumstances).\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types`, or lacks evidence of a vulnerability.\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. All Shopify developed applications are in scope (https://apps.shopify.com/partners/shopify) for this program.\n\nYou should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a response from the developer within one week. If you do so, please include the following information in your report:\n\n- The name of the app\n- The name of the developer\n- The URL of the app\n- The vulnerability you are reporting\n- The steps to reproduce the vulnerability\n- The impact of the vulnerability\n- The severity of the vulnerability\n\nPlease note that Shopify will not pay a bounty for vulnerabilities in third party apps and the report will be closed as \"Informative\".\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed on [the scope page for this program](https://hackerone.com/shopify/policy_scopes). **Valid vulnerabilities on any domain not explicitly listed in scope may be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\n# Typical Bounty Amounts\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact and make a change as a result of the report. Bonuses are determined as a percentage (10% of what the bounty is estimated at for an exploitable issue), with a minimum of $500 and a maximum of $5,000.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity`, and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com, admin.shopify.com, shop.app, server.shop.app, partners.shopify.com and *.shopifycs.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, and our mobile applications.\n\n# Google Play Bonus\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Denial of Service\nIn our commitment to maintaining a secure environment, we value your assistance in identifying Denial of Service (DoS) vulnerabilities that meet our specific criteria. Generally:\n- We only consider DoS issues that can be triggered by a single user with a single request.\n- We only consider DoS issues that cause a significant disruption to the **entire* service, not just an individual shop or instance\n- We explicitly do not accept any kind of DDOS (Distributed Denial of Service) issues. \n- Slow requests that eventually complete successfully without rendering the service unavailable do **not** constitute an availability impact for our program \n\nIf you think you have found an eligible DoS issue, please include the following information in your report:\n- The URL of the page that is vulnerable to DoS\n- The X-Request-ID of the HTTP response that causes the DoS\n- The HTTP request that causes the DoS\n- The HTTP response that is returned by the server after the DoS has been triggered\n- The time it takes for the DoS to be triggered\n\n# Known issues\n\nThe following issues or behaviours are by design or otherwise known to Shopify. Submitting a report that falls into this category will result in the report being closed as **Not Applicable**.\n\n**XSS - At Shopify we allow merchants to use HTML in their store descriptions, product descriptions, and other fields. We do not consider this a vulnerability.**\n\nThe following XSS (Cross-Site Scripting) types are explicitly out of scope for this program:\n  - **XSS Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n  - **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n  -  **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n  - **XSS - Shopify Checkout** - Any issue where a store staff member is able to insert javascript in the checkout area of their own store (this includes *.shopifypreview.com).\n  - **XSS - Set Header** -Any issue that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n  - **XSS - Inspect Element/Console** - Any issue that requires the use of the browser's developer tools to execute javascript.\n  - **XSS - Self-XSS** - Any issue without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n\n**CDN - At Shopify we encourage merchants to use our CDN (static.shopify.com, cdn.shopify.com and other storage domains) to host any files they want. We do not consider this a vulnerability because this content runs in a separate context and cannot directly impact our platform.**\n\nThe following CDN (Content Distribution Network) types are explicitly out of scope for this program and will be closed as `Not Applicable`:\n  - **CDN - Arbitrary file upload** - Any issue where a store staff member is able to upload arbitrary files to our CDN.\n  - **CDN - Stored XSS** - Any issue where a store staff member is able to upload arbitrary files to our CDN and execute javascript in the context of a CDN domain. (static.shopify.com and cdn.shopify.com).\n  - **CDN - Sensitive data disclosure** - All files on the Content Delivery Network (cdn.shopify.com) are public by design.\n\n\nThe following CSRF (Cross-Site Request Forgery) types are explicitly out of scope:\n  - CSRF access to modify cart\n  - CSRF for Login or Logout (unless it is chained together with another vulnerability to demonstrate impact)\n\n**Shopify hosted stores - There are a number of commonly reported false positives in Shopify hosted (*.myshopify.com) stores that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n- **Staff access to**:\n  - /admin/settings/shop.json\n  - /admin/settings/account.json\n  - /admin/settings/users.json\n  - /admin/settings/locations.json\n- **Intended Public files**:\n  - payments/config.json\n- **Password reset tokens don’t expire when changing email address**\n- **Email address doesn't require verification on signup**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **User or store name enumeration**\n- **Insecure “Opening Soon” password**\n- **User permission issues in Stocky**\n- **Template sanitization bypasses in Order Printer**\n\n\n**Mobile / PoS - There are a number of commonly reported false positives in the Shopify mobile applications that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n  - **Physical access to the device** Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n  - **Mobile application biometrics bypass**\n  - **Lack of mobile binary protection or SSL pinning**\n  - **Lack of mobile application encryption**\n  - **Issues that can only be exploited on an emulated device**\n  - **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n\n# Potential Ineligible vulnerability types\n\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n- **Open Redirect** - Any issue that allows a user to be redirected to an arbitrary URL without user interaction, unless it is chained together with another vulnerability to demonstrate impact.\n- **HTML Injection in emails** - Any issue that allows a user to inject arbitrary HTML into emails, unless it is chained together with another **eligible** vulnerability to demonstrate impact.\n- **SSRF** - There are several places where a SSRF is technically possible, however, a simple HTTP/DNS interaction is not considered a vulnerability by itself. In most cases, these issues will be closed as **Not Applicable**. We are running instances of a service similar to [SSRF-sheriff](https://github.com/teknogeek/ssrf-sheriff) that we built. You can access the instances at `http://web.ssrf-sheriff.svc.cluster.local` for the purpose of validating SSRF findings.\n- **Race Conditions** - If you've encountered a race condition, please ensure that it exploitable and would gain an attacker access to sensitive information. The following race conditions would **not** be eligible:\n  - Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n\n# Ineligible vulnerability types\n\nThe following vulnerability types are explicitly out of scope for this program and will be closed as `Not Applicable` immediately:\n\n- **Social Engineering** - Any issue that requires social engineering to be exploited, such as phishing, or impersonation of a Shopify employee. This includes contacting the Shopify Support.\n- **Spam / Flooding** - E-Mail flooding, SMS flooding, or any other type of flooding.\n- **Vulnerability Scanner False Positives** - Any issue that is reported by a vulnerability scanner, but is not exploitable by a human.\n- **Enabled GraphQL introspection query** - We highly recommend researchers to utilize it as a valuable resource.\n- Insecure cookie handling for account identifying cookies.\n- Tab nabbing.\n- Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing).\n- CSV / formula injection.\n- Hyperlink injection.\n- Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.\n- Distributed Denial of Service.\n- Content spoofing.\n- Disclosure of server or software version numbers.\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim.\n- Reports related to permitted password strength.\n- Theoretical sub-domain takeovers with no supporting evidence.\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches).\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers.\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit).\n- Reports related to CVV validation during payment. CVV validation rules may differ across markets, and Shopify implements other controls to protect merchants against fraud based attacks.\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n\n## Staff Member Permissions\nShopify has a rich set of granular permissions that we offer in the Shopify admin and the Partners Dashboard. These are documented [here](https://help.shopify.com/en/manual/your-account/staff-accounts/staff-permissions/staff-permissions-descriptions).\n\nThe following are the categories which we consider to have clear CVSS relevance with regards to staff member permissions. If the observed behavior does not fit into these categories, please carefully consider the practical impact of the finding prior to opening a report as it risks being closed as N/A.\n\n- Demonstrates the ability for a staff member to escalate their privileges to one of our _Sensitive Permissions_ (Manage Settings, Manage Payment Settings and Themes).\n  - Valid: Staff member with `orders` permission can perform an action that is normally scoped to `Manage Settings`.\n  - Invalid: Staff member with `Manage Settings` permission can perform an action that is not specifically listed in the public documentation description.\n- Demonstrates a direct financial impact on the Shop (The request made must directly result in the impact).\n  - Valid: Lowering the price of an existing product available on sales channels without the appropriate permission.\n  - Invalid: Adding additional variants of a product at a lower price but without making them available on sales channels.\n- Demonstrates impact on Buyer PII that the staff member isn't already authorized for.\n  - Valid: Staff members having access to read or edit Buyer PII when they aren't authorized to do so.\n  - Invalid: Staff members with the `orders` permission being able read or write basic buyer information.\n\nFor staff permission issues which are not relevant to our bugbounty program, feel free to bring them to the attention of our support team by following the instructions outlined [here](https://github.com/Shopify/bugbounty-resources/blob/master/how_to_report_functional_issues.md).\n\n## Subdomain Takeovers\nReports related to dangling domain records will be evaluated on a case-by-case basis for bounty taking into account several factors, including:\n- The likelihood of a record to be successfully taken over (i.e. can the specific IP that the record points to be readily requisitioned from an owner).\n- The likelihood that traffic would be sent to the specific fully-qualified domain name (FQDN) as part of normal operations.\n- The purpose of the domain if it can be inferred from the record (i.e. test app).\n\nMost of these reports will result in CVSS 0 and, therefore, will be ineligible for a bounty. If you believe you have found a dangling domain record that is likely to be taken over and is likely to receive traffic, please include methodology and evidence in your report.\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We will disqualify you from receiving a reward, and may disqualify you from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-02-21T16:28:36.438Z"},{"id":3712754,"new_policy":"# TL;DR\nAt Shopify, we take merchant trust and safety very seriously. Our maximum bounty of $200,000 reflects that.\n\nTo participate, you must create an account using a `@wearehackerone.com` email address and only test against accounts you create. Before reporting any issues, please review our list of known issues. We encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\n\nWe pay bounties based on CVSS scores using our CVSS Bounty Calculator (https://shopify.github.io/appsec/cvss_calculator/), and we usually award bounties within a week of triage.\n\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n\n\nIf you need further clarification of the rules or scope of our bug bounty program, please don't hesitate to contact us at bugbounty@shopify.com.\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe value all security researchers and expect mutual respect between our team and participants. We strive to:\n- Reply to all reports within one business day and triage within two business days (if applicable).\n- Be as transparent as possible, answering all inquiries about our report decisions and adding hackers to duplicate HackerOne reports.\n- Award bounties within a week of triage (excluding extenuating circumstances).\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types`, or lacks evidence of a vulnerability.\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. All Shopify developed applications are in scope (https://apps.shopify.com/partners/shopify) for this program.\n\nYou should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a response from the developer within one week. If you do so, please include the following information in your report:\n\n- The name of the app\n- The name of the developer\n- The URL of the app\n- The vulnerability you are reporting\n- The steps to reproduce the vulnerability\n- The impact of the vulnerability\n- The severity of the vulnerability\n\nPlease note that Shopify will not pay a bounty for vulnerabilities in third party apps and the report will be closed as \"Informative\".\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed on [the scope page for this program](https://hackerone.com/shopify/policy_scopes). **Valid vulnerabilities on any domain not explicitly listed in scope may be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\n# Typical Bounty Amounts\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact and make a change as a result of the report. Bonuses are determined as a percentage (10% of what the bounty is estimated at for an exploitable issue), with a minimum of $500 and a maximum of $5,000.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity`, and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com, admin.shopify.com, shop.app, server.shop.app, partners.shopify.com and *.shopifycs.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, and our mobile applications.\n\n# Google Play Bonus\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Denial of Service\nIn our commitment to maintaining a secure environment, we value your assistance in identifying Denial of Service (DoS) vulnerabilities that meet our specific criteria. Generally:\n- We only consider DoS issues that can be triggered by a single user with a single request.\n- We only consider DoS issues that cause a significant disruption to the **entire* service, not just an individual shop or instance\n- We explicitly do not accept any kind of DDOS (Distributed Denial of Service) issues. \n- Slow requests that eventually complete successfully without rendering the service unavailable do **not** constitute an availability impact for our program \n\nIf you think you have found an eligible DoS issue, please include the following information in your report:\n- The URL of the page that is vulnerable to DoS\n- The X-Request-ID of the HTTP response that causes the DoS\n- The HTTP request that causes the DoS\n- The HTTP response that is returned by the server after the DoS has been triggered\n- The time it takes for the DoS to be triggered\n\n# Known issues\n\nThe following issues or behaviours are by design or otherwise known to Shopify. Submitting a report that falls into this category will result in the report being closed as **Not Applicable**.\n\n**XSS - At Shopify we allow merchants to use HTML in their store descriptions, product descriptions, and other fields. We do not consider this a vulnerability.**\n\nThe following XSS (Cross-Site Scripting) types are explicitly out of scope for this program:\n  - **XSS Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n  - **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n  -  **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n  - **XSS - Shopify Checkout** - Any issue where a store staff member is able to insert javascript in the checkout area of their own store (this includes *.shopifypreview.com).\n  - **XSS - Set Header** -Any issue that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n  - **XSS - Inspect Element/Console** - Any issue that requires the use of the browser's developer tools to execute javascript.\n  - **XSS - Self-XSS** - Any issue without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n\n**CDN - At Shopify we encourage merchants to use our CDN (static.shopify.com, cdn.shopify.com and other storage domains) to host any files they want. We do not consider this a vulnerability because this content runs in a separate context and cannot directly impact our platform.**\n\nThe following CDN (Content Distribution Network) types are explicitly out of scope for this program and will be closed as `Not Applicable`:\n  - **CDN - Arbitrary file upload** - Any issue where a store staff member is able to upload arbitrary files to our CDN.\n  - **CDN - Stored XSS** - Any issue where a store staff member is able to upload arbitrary files to our CDN and execute javascript in the context of a CDN domain. (static.shopify.com and cdn.shopify.com).\n  - **CDN - Sensitive data disclosure** - All files on the Content Delivery Network (cdn.shopify.com) are public by design.\n\n\nThe following CSRF (Cross-Site Request Forgery) types are explicitly out of scope:\n  - CSRF access to modify cart\n  - CSRF for Login or Logout (unless it is chained together with another vulnerability to demonstrate impact)\n\n**Shopify hosted stores - There are a number of commonly reported false positives in Shopify hosted (*.myshopify.com) stores that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n- **Staff access to**:\n  - /admin/settings/shop.json\n  - /admin/settings/account.json\n  - /admin/settings/users.json\n  - /admin/settings/locations.json\n- **Intended Public files**:\n  - payments/config.json\n- **Password reset tokens don’t expire when changing email address**\n- **Email address doesn't require verification on signup**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **User or store name enumeration**\n- **Insecure “Opening Soon” password**\n- **User permission issues in Stocky**\n- **Template sanitization bypasses in Order Printer**\n\n\n**Mobile / PoS - There are a number of commonly reported false positives in the Shopify mobile applications that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n  - **Physical access to the device** Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n  - **Mobile application biometrics bypass**\n  - **Lack of mobile binary protection or SSL pinning**\n  - **Lack of mobile application encryption**\n  - **Issues that can only be exploited on an emulated device**\n  - **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n\n# Potential Ineligible vulnerability types\n\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n- **Open Redirect** - Any issue that allows a user to be redirected to an arbitrary URL without user interaction, unless it is chained together with another vulnerability to demonstrate impact.\n- **HTML Injection in emails** - Any issue that allows a user to inject arbitrary HTML into emails, unless it is chained together with another  **eligible** vulnerability to demonstrate impact.\n- **SSRF** - There are several places where a SSRF is technically possible, however, a simple HTTP/DNS interaction is not considered a vulnerability by itself. In most cases, these issues will be closed as **Not Applicable**. We are running instances of a service similar to [SSRF-sheriff](https://github.com/teknogeek/ssrf-sheriff) that we built. You can access the instances at `http://web.ssrf-sheriff.svc.cluster.local` for the purpose of validating SSRF findings.\n- **Race Conditions** - If you've encountered a race condition, please ensure that it exploitable and would gain an attacker access to sensitive information. The following race conditions would **not** be eligible:\n  - Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- **Rate limiting / Brute force** - If you've encountered an endpoint that is not rate limited, please ensure that the given endpoint is handling sensitive information. If it is, please provide a proof of concept that demonstrates the ability to brute force the endpoint with at least 300 requests.\n\n# Ineligible vulnerability types\n\nThe following vulnerability types are explicitly out of scope for this program and will be closed as `Not Applicable` immediately:\n\n- **Social Engineering** - Any issue that requires social engineering to be exploited, such as phishing, or impersonation of a Shopify employee. This includes contacting the Shopify Support.\n- **Spam / Flooding** - E-Mail flooding, SMS flooding, or any other type of flooding.\n- **Vulnerability Scanner False Positives** - Any issue that is reported by a vulnerability scanner, but is not exploitable by a human.\n- **Enabled GraphQL introspection query** - We highly recommend researchers to utilize it as a valuable resource.\n- Insecure cookie handling for account identifying cookies.\n- Tab nabbing.\n- Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing).\n- CSV / formula injection.\n- Hyperlink injection.\n- Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.\n- Distributed Denial of Service.\n- Content spoofing.\n- Disclosure of server or software version numbers.\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim.\n- Reports related to permitted password strength.\n- Theoretical sub-domain takeovers with no supporting evidence.\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches).\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers.\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit).\n- Reports related to CVV validation during payment. CVV validation rules may differ across markets, and Shopify implements other controls to protect merchants against fraud based attacks. \n\n## Staff Member Permissions\nShopify has a rich set of granular permissions that we offer in the Shopify admin and the Partners Dashboard. These are documented [here](https://help.shopify.com/en/manual/your-account/staff-accounts/staff-permissions/staff-permissions-descriptions).\n\nThe following are the categories which we consider to have clear CVSS relevance with regards to staff member permissions. If the observed behavior does not fit into these categories, please carefully consider the practical impact of the finding prior to opening a report as it risks being closed as N/A.\n\n- Demonstrates the ability for a staff member to escalate their privileges to one of our _Sensitive Permissions_ (Manage Settings, Manage Payment Settings and Themes).\n  - Valid: Staff member with `orders` permission can perform an action that is normally scoped to `Manage Settings`.\n  - Invalid: Staff member with `Manage Settings` permission can perform an action that is not specifically listed in the public documentation description.\n- Demonstrates a direct financial impact on the Shop (The request made must directly result in the impact).\n  - Valid: Lowering the price of an existing product available on sales channels without the appropriate permission.\n  - Invalid: Adding additional variants of a product at a lower price but without making them available on sales channels.\n- Demonstrates impact on Buyer PII that the staff member isn't already authorized for.\n  - Valid: Staff members having access to read or edit Buyer PII when they aren't authorized to do so.\n  - Invalid: Staff members with the `orders` permission being able read or write basic buyer information.\n\nFor staff permission issues which are not relevant to our bugbounty program, feel free to bring them to the attention of our support team by following the instructions outlined [here](https://github.com/Shopify/bugbounty-resources/blob/master/how_to_report_functional_issues.md).\n\n## Subdomain Takeovers\nReports related to dangling domain records will be evaluated on a case-by-case basis for bounty taking into account several factors, including:\n- The likelihood of a record to be successfully taken over (i.e. can the specific IP that the record points to be readily requisitioned from an owner).\n- The likelihood that traffic would be sent to the specific fully-qualified domain name (FQDN) as part of normal operations.\n- The purpose of the domain if it can be inferred from the record (i.e. test app).\n\nMost of these reports will result in CVSS 0 and, therefore, will be ineligible for a bounty. If you believe you have found a dangling domain record that is likely to be taken over and is likely to receive traffic, please include methodology and evidence in your report.\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We will disqualify you from receiving a reward, and may disqualify you from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-02-16T14:33:09.343Z"},{"id":3712753,"new_policy":"# TL;DR\nAt Shopify, we take merchant trust and safety very seriously. Our maximum bounty of $200,000 reflects that.\n\nTo participate, you must create an account using a `@wearehackerone.com` email address and only test against accounts you create. Before reporting any issues, please review our list of known issues. We encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\n\nWe pay bounties based on CVSS scores using our CVSS Bounty Calculator (https://shopify.github.io/appsec/cvss_calculator/), and we usually award bounties within a week of triage.\n\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n\n\nIf you need further clarification of the rules or scope of our bug bounty program, please don't hesitate to contact us at bugbounty@shopify.com.\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe value all security researchers and expect mutual respect between our team and participants. We strive to:\n- Reply to all reports within one business day and triage within two business days (if applicable).\n- Be as transparent as possible, answering all inquiries about our report decisions and adding hackers to duplicate HackerOne reports.\n- Award bounties within a week of triage (excluding extenuating circumstances).\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types`, or lacks evidence of a vulnerability.\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. All Shopify developed applications are in scope (https://apps.shopify.com/partners/shopify) for this program.\n\nYou should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a response from the developer within one week. If you do so, please include the following information in your report:\n\n- The name of the app\n- The name of the developer\n- The URL of the app\n- The vulnerability you are reporting\n- The steps to reproduce the vulnerability\n- The impact of the vulnerability\n- The severity of the vulnerability\n\nPlease note that Shopify will not pay a bounty for vulnerabilities in third party apps and the report will be closed as \"Informative\".\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed on [the scope page for this program](https://hackerone.com/shopify/policy_scopes). **Valid vulnerabilities on any domain not explicitly listed in scope may be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\n# Typical Bounty Amounts\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact and make a change as a result of the report. Bonuses are determined as a percentage (10% of what the bounty is estimated at for an exploitable issue), with a minimum of $500 and a maximum of $5,000.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity`, and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com, admin.shopify.com, shop.app, server.shop.app, partners.shopify.com and *.shopifycs.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, and our mobile applications.\n\n# Google Play Bonus\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Denial of Service\nIn our commitment to maintaining a secure environment, we value your assistance in identifying Denial of Service (DoS) vulnerabilities that meet our specific criteria. Generally:\n- We only consider DoS issues that can be triggered by a single user with a single request.\n- We only consider DoS issues that cause a significant disruption to the **entire* service, not just an individual shop or instance\n- We explicitly do not accept any kind of DDOS (Distributed Denial of Service) issues. \n- Slow requests that eventually complete successfully without rendering the service unavailable do **not** constitute an availability impact for our program \n\nIf you think you have found an eligible DoS issue, please include the following information in your report:\n- The URL of the page that is vulnerable to DoS\n- The X-Request-ID of the HTTP response that causes the DoS\n- The HTTP request that causes the DoS\n- The HTTP response that is returned by the server after the DoS has been triggered\n- The time it takes for the DoS to be triggered\n\n# Known issues\n\nThe following issues or behaviours are by design or otherwise known to Shopify. Submitting a report that falls into this category will result in the report being closed as **Not Applicable**.\n\n**XSS - At Shopify we allow merchants to use HTML in their store descriptions, product descriptions, and other fields. We do not consider this a vulnerability.**\n\nThe following XSS (Cross-Site Scripting) types are explicitly out of scope for this program:\n  - **XSS Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n  - **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n  -  **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n  - **XSS - Shopify Checkout** - Any issue where a store staff member is able to insert javascript in the checkout area of their own store (this includes *.shopifypreview.com).\n  - **XSS - Set Header** -Any issue that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n  - **XSS - Inspect Element/Console** - Any issue that requires the use of the browser's developer tools to execute javascript.\n  - **XSS - Self-XSS** - Any issue without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n\n**CDN - At Shopify we encourage merchants to use our CDN (static.shopify.com, cdn.shopify.com and other storage domains) to host any files they want. We do not consider this a vulnerability because this content runs in a separate context and cannot directly impact our platform.**\n\nThe following CDN (Content Distribution Network) types are explicitly out of scope for this program and will be closed as `Not Applicable`:\n  - **CDN - Arbitrary file upload** - Any issue where a store staff member is able to upload arbitrary files to our CDN.\n  - **CDN - Stored XSS** - Any issue where a store staff member is able to upload arbitrary files to our CDN and execute javascript in the context of a CDN domain. (static.shopify.com and cdn.shopify.com).\n  - **CDN - Sensitive data disclosure** - All files on the Content Delivery Network (cdn.shopify.com) are public by design.\n\n\nThe following CSRF (Cross-Site Request Forgery) types are explicitly out of scope:\n  - CSRF access to modify cart\n  - CSRF for Login or Logout (unless it is chained together with another vulnerability to demonstrate impact)\n\n**Shopify hosted stores - There are a number of commonly reported false positives in Shopify hosted (*.myshopify.com) stores that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n- **Staff access to**:\n  - /admin/settings/shop.json\n  - /admin/settings/account.json\n  - /admin/settings/users.json\n  - /admin/settings/locations.json\n- **Intended Public files**:\n  - payments/config.json\n- **Password reset tokens don’t expire when changing email address**\n- **Email address doesn't require verification on signup**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **User or store name enumeration**\n- **Insecure “Opening Soon” password**\n- **User permission issues in Stocky**\n- **Template sanitization bypasses in Order Printer**\n\n\n**Mobile / PoS - There are a number of commonly reported false positives in the Shopify mobile applications that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n  - **Physical access to the device** Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n  - **Mobile application biometrics bypass**\n  - **Lack of mobile binary protection or SSL pinning**\n  - **Lack of mobile application encryption**\n  - **Issues that can only be exploited on an emulated device**\n  - **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n\n# Potential Ineligible vulnerability types\n\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n- **Open Redirect** - Any issue that allows a user to be redirected to an arbitrary URL without user interaction, unless it is chained together with another vulnerability to demonstrate impact.\n- **HTML Injection in emails** - Any issue that allows a user to inject arbitrary HTML into emails, unless it is chained together with another another  **eligible** vulnerability to demonstrate impact.\n- **SSRF** - There are several places where a SSRF is technically possible, however, a simple HTTP/DNS interaction is not considered a vulnerability by itself. In most cases, these issues will be closed as **Not Applicable**. We are running instances of a service similar to [SSRF-sheriff](https://github.com/teknogeek/ssrf-sheriff) that we built. You can access the instances at `http://web.ssrf-sheriff.svc.cluster.local` for the purpose of validating SSRF findings.\n- **Race Conditions** - If you've encountered a race condition, please ensure that it exploitable and would gain an attacker access to sensitive information. The following race conditions would **not** be eligible:\n  - Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- **Rate limiting / Brute force** - If you've encountered an endpoint that is not rate limited, please ensure that the given endpoint is handling sensitive information. If it is, please provide a proof of concept that demonstrates the ability to brute force the endpoint with at least 300 requests.\n\n# Ineligible vulnerability types\n\nThe following vulnerability types are explicitly out of scope for this program and will be closed as `Not Applicable` immediately:\n\n- **Social Engineering** - Any issue that requires social engineering to be exploited, such as phishing, or impersonation of a Shopify employee. This includes contacting the Shopify Support.\n- **Spam / Flooding** - E-Mail flooding, SMS flooding, or any other type of flooding.\n- **Vulnerability Scanner False Positives** - Any issue that is reported by a vulnerability scanner, but is not exploitable by a human.\n- **Enabled GraphQL introspection query** - We highly recommend researchers to utilize it as a valuable resource.\n- Insecure cookie handling for account identifying cookies.\n- Tab nabbing.\n- Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing).\n- CSV / formula injection.\n- Hyperlink injection.\n- Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.\n- Distributed Denial of Service.\n- Content spoofing.\n- Disclosure of server or software version numbers.\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim.\n- Reports related to permitted password strength.\n- Theoretical sub-domain takeovers with no supporting evidence.\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches).\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers.\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit).\n- Reports related to CVV validation during payment. CVV validation rules may differ across markets, and Shopify implements other controls to protect merchants against fraud based attacks. \n\n## Staff Member Permissions\nShopify has a rich set of granular permissions that we offer in the Shopify admin and the Partners Dashboard. These are documented [here](https://help.shopify.com/en/manual/your-account/staff-accounts/staff-permissions/staff-permissions-descriptions).\n\nThe following are the categories which we consider to have clear CVSS relevance with regards to staff member permissions. If the observed behavior does not fit into these categories, please carefully consider the practical impact of the finding prior to opening a report as it risks being closed as N/A.\n\n- Demonstrates the ability for a staff member to escalate their privileges to one of our _Sensitive Permissions_ (Manage Settings, Manage Payment Settings and Themes).\n  - Valid: Staff member with `orders` permission can perform an action that is normally scoped to `Manage Settings`.\n  - Invalid: Staff member with `Manage Settings` permission can perform an action that is not specifically listed in the public documentation description.\n- Demonstrates a direct financial impact on the Shop (The request made must directly result in the impact).\n  - Valid: Lowering the price of an existing product available on sales channels without the appropriate permission.\n  - Invalid: Adding additional variants of a product at a lower price but without making them available on sales channels.\n- Demonstrates impact on Buyer PII that the staff member isn't already authorized for.\n  - Valid: Staff members having access to read or edit Buyer PII when they aren't authorized to do so.\n  - Invalid: Staff members with the `orders` permission being able read or write basic buyer information.\n\nFor staff permission issues which are not relevant to our bugbounty program, feel free to bring them to the attention of our support team by following the instructions outlined [here](https://github.com/Shopify/bugbounty-resources/blob/master/how_to_report_functional_issues.md).\n\n## Subdomain Takeovers\nReports related to dangling domain records will be evaluated on a case-by-case basis for bounty taking into account several factors, including:\n- The likelihood of a record to be successfully taken over (i.e. can the specific IP that the record points to be readily requisitioned from an owner).\n- The likelihood that traffic would be sent to the specific fully-qualified domain name (FQDN) as part of normal operations.\n- The purpose of the domain if it can be inferred from the record (i.e. test app).\n\nMost of these reports will result in CVSS 0 and, therefore, will be ineligible for a bounty. If you believe you have found a dangling domain record that is likely to be taken over and is likely to receive traffic, please include methodology and evidence in your report.\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We will disqualify you from receiving a reward, and may disqualify you from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-02-16T14:31:22.807Z"},{"id":3712751,"new_policy":"# TL;DR\nAt Shopify, we take merchant trust and safety very seriously. Our maximum bounty of $200,000 reflects that.\n\nTo participate, you must create an account using a `@wearehackerone.com` email address and only test against accounts you create. Before reporting any issues, please review our list of known issues. We encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\n\nWe pay bounties based on CVSS scores using our CVSS Bounty Calculator (https://shopify.github.io/appsec/cvss_calculator/), and we usually award bounties within a week of triage.\n\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n\n\nIf you need further clarification of the rules or scope of our bug bounty program, please don't hesitate to contact us at bugbounty@shopify.com.\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe value all security researchers and expect mutual respect between our team and participants. We strive to:\n- Reply to all reports within one business day and triage within two business days (if applicable).\n- Be as transparent as possible, answering all inquiries about our report decisions and adding hackers to duplicate HackerOne reports.\n- Award bounties within a week of triage (excluding extenuating circumstances).\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types`, or lacks evidence of a vulnerability.\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. All Shopify developed applications are in scope (https://apps.shopify.com/partners/shopify) for this program.\n\nYou should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a response from the developer within one week. If you do so, please include the following information in your report:\n\n- The name of the app\n- The name of the developer\n- The URL of the app\n- The vulnerability you are reporting\n- The steps to reproduce the vulnerability\n- The impact of the vulnerability\n- The severity of the vulnerability\n\nPlease note that Shopify will not pay a bounty for vulnerabilities in third party apps and the report will be closed as \"Informative\".\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed on [the scope page for this program](https://hackerone.com/shopify/policy_scopes). **Valid vulnerabilities on any domain not explicitly listed in scope may be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\n# Typical Bounty Amounts\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact and make a change as a result of the report. Bonuses are determined as a percentage (10% of what the bounty is estimated at for an exploitable issue), with a minimum of $500 and a maximum of $5,000.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity`, and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com, admin.shopify.com, shop.app, server.shop.app, partners.shopify.com and *.shopifycs.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, and our mobile applications.\n\n# Google Play Bonus\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Denial of Service\nIn our commitment to maintaining a secure environment, we value your assistance in identifying Denial of Service (DoS) vulnerabilities that meet our specific criteria. Generally:\n- We only consider DoS issues that can be triggered by a single user with a single request.\n- We only consider DoS issues that cause a significant disruption to the **entire* service, not just an individual shop or instance\n- We explicitly do not accept any kind of DDOS (Distributed Denial of Service) issues. \n- Slow requests that eventually complete successfully without rendering the service unavailable do **not** constitute an availability impact for our program \n\nIf you think you have found an eligible DoS issue, please include the following information in your report:\n- The URL of the page that is vulnerable to DoS\n- The X-Request-ID of the HTTP response that causes the DoS\n- The HTTP request that causes the DoS\n- The HTTP response that is returned by the server after the DoS has been triggered\n- The time it takes for the DoS to be triggered\n\n# Known issues\n\nThe following issues or behaviours are by design or otherwise known to Shopify. Submitting a report that falls into this category will result in the report being closed as **Not Applicable**.\n\n**XSS - At Shopify we allow merchants to use HTML in their store descriptions, product descriptions, and other fields. We do not consider this a vulnerability.**\n\nThe following XSS (Cross-Site Scripting) types are explicitly out of scope for this program:\n  - **XSS Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n  - **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n  -  **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n  - **XSS - Shopify Checkout** - Any issue where a store staff member is able to insert javascript in the checkout area of their own store (this includes *.shopifypreview.com).\n  - **XSS - Set Header** -Any issue that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n  - **XSS - Inspect Element/Console** - Any issue that requires the use of the browser's developer tools to execute javascript.\n  - **XSS - Self-XSS** - Any issue without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n\n**CDN - At Shopify we encourage merchants to use our CDN (static.shopify.com, cdn.shopify.com and other storage domains) to host any files they want. We do not consider this a vulnerability because this content runs in a separate context and cannot directly impact our platform.**\n\nThe following CDN (Content Distribution Network) types are explicitly out of scope for this program and will be closed as `Not Applicable`:\n  - **CDN - Arbitrary file upload** - Any issue where a store staff member is able to upload arbitrary files to our CDN.\n  - **CDN - Stored XSS** - Any issue where a store staff member is able to upload arbitrary files to our CDN and execute javascript in the context of a CDN domain. (static.shopify.com and cdn.shopify.com).\n  - **CDN - Sensitive data disclosure** - All files on the Content Delivery Network (cdn.shopify.com) are public by design.\n\n\nThe following CSRF (Cross-Site Request Forgery) types are explicitly out of scope:\n  - CSRF access to modify cart\n  - CSRF for Login or Logout (unless it is chained together with another vulnerability to demonstrate impact)\n\n**Shopify hosted stores - There are a number of commonly reported false positives in Shopify hosted (*.myshopify.com) stores that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n- **Staff access to**:\n  - /admin/settings/shop.json\n  - /admin/settings/account.json\n  - /admin/settings/users.json\n  - /admin/settings/locations.json\n- **Intended Public files**:\n  - payments/config.json\n- **Password reset tokens don’t expire when changing email address**\n- **Email address doesn't require verification on signup**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **User or store name enumeration**\n- **Insecure “Opening Soon” password**\n- **User permission issues in Stocky**\n- **Template sanitization bypasses in Order Printer**\n\n\n**Mobile / PoS - There are a number of commonly reported false positives in the Shopify mobile applications that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n  - **Physical access to the device** Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n  - **Mobile application biometrics bypass**\n  - **Lack of mobile binary protection or SSL pinning**\n  - **Lack of mobile application encryption**\n  - **Issues that can only be exploited on an emulated device**\n  - **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n\n# Potential Ineligible vulnerability types\n\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n- **Open Redirect** - Any issue that allows a user to be redirected to an arbitrary URL without user interaction, unless it is chained together with another vulnerability to demonstrate impact.\n- **HTML Injection in emails** - Any issue that allows a user to inject arbitrary HTML into emails, unless it is chained together with another vulnerability to demonstrate impact.\n- **SSRF** - There are several places where a SSRF is technically possible, however, a simple HTTP/DNS interaction is not considered a vulnerability by itself. In most cases, these issues will be closed as **Not Applicable**. We are running instances of a service similar to [SSRF-sheriff](https://github.com/teknogeek/ssrf-sheriff) that we built. You can access the instances at `http://web.ssrf-sheriff.svc.cluster.local` for the purpose of validating SSRF findings.\n- **Race Conditions** - If you've encountered a race condition, please ensure that it exploitable and would gain an attacker access to sensitive information. The following race conditions would **not** be eligible:\n  - Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- **Rate limiting / Brute force** - If you've encountered an endpoint that is not rate limited, please ensure that the given endpoint is handling sensitive information. If it is, please provide a proof of concept that demonstrates the ability to brute force the endpoint with at least 300 requests.\n\n# Ineligible vulnerability types\n\nThe following vulnerability types are explicitly out of scope for this program and will be closed as `Not Applicable` immediately:\n\n- **Social Engineering** - Any issue that requires social engineering to be exploited, such as phishing, or impersonation of a Shopify employee. This includes contacting the Shopify Support.\n- **Spam / Flooding** - E-Mail flooding, SMS flooding, or any other type of flooding.\n- **Vulnerability Scanner False Positives** - Any issue that is reported by a vulnerability scanner, but is not exploitable by a human.\n- **Enabled GraphQL introspection query** - We highly recommend researchers to utilize it as a valuable resource.\n- Insecure cookie handling for account identifying cookies.\n- Tab nabbing.\n- Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing).\n- CSV / formula injection.\n- Hyperlink injection.\n- Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.\n- Distributed Denial of Service.\n- Content spoofing.\n- Disclosure of server or software version numbers.\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim.\n- Reports related to permitted password strength.\n- Theoretical sub-domain takeovers with no supporting evidence.\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches).\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers.\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit).\n- Reports related to CVV validation during payment. CVV validation rules may differ across markets, and Shopify implements other controls to protect merchants against fraud based attacks. \n\n## Staff Member Permissions\nShopify has a rich set of granular permissions that we offer in the Shopify admin and the Partners Dashboard. These are documented [here](https://help.shopify.com/en/manual/your-account/staff-accounts/staff-permissions/staff-permissions-descriptions).\n\nThe following are the categories which we consider to have clear CVSS relevance with regards to staff member permissions. If the observed behavior does not fit into these categories, please carefully consider the practical impact of the finding prior to opening a report as it risks being closed as N/A.\n\n- Demonstrates the ability for a staff member to escalate their privileges to one of our _Sensitive Permissions_ (Manage Settings, Manage Payment Settings and Themes).\n  - Valid: Staff member with `orders` permission can perform an action that is normally scoped to `Manage Settings`.\n  - Invalid: Staff member with `Manage Settings` permission can perform an action that is not specifically listed in the public documentation description.\n- Demonstrates a direct financial impact on the Shop (The request made must directly result in the impact).\n  - Valid: Lowering the price of an existing product available on sales channels without the appropriate permission.\n  - Invalid: Adding additional variants of a product at a lower price but without making them available on sales channels.\n- Demonstrates impact on Buyer PII that the staff member isn't already authorized for.\n  - Valid: Staff members having access to read or edit Buyer PII when they aren't authorized to do so.\n  - Invalid: Staff members with the `orders` permission being able read or write basic buyer information.\n\nFor staff permission issues which are not relevant to our bugbounty program, feel free to bring them to the attention of our support team by following the instructions outlined [here](https://github.com/Shopify/bugbounty-resources/blob/master/how_to_report_functional_issues.md).\n\n## Subdomain Takeovers\nReports related to dangling domain records will be evaluated on a case-by-case basis for bounty taking into account several factors, including:\n- The likelihood of a record to be successfully taken over (i.e. can the specific IP that the record points to be readily requisitioned from an owner).\n- The likelihood that traffic would be sent to the specific fully-qualified domain name (FQDN) as part of normal operations.\n- The purpose of the domain if it can be inferred from the record (i.e. test app).\n\nMost of these reports will result in CVSS 0 and, therefore, will be ineligible for a bounty. If you believe you have found a dangling domain record that is likely to be taken over and is likely to receive traffic, please include methodology and evidence in your report.\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We will disqualify you from receiving a reward, and may disqualify you from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-02-16T13:41:04.211Z"},{"id":3712662,"new_policy":"# TL;DR\nAt Shopify, we take merchant trust and safety very seriously. Our maximum bounty of $200,000 reflects that.\n\nTo participate, you must create an account using a `@wearehackerone.com` email address and only test against accounts you create. Before reporting any issues, please review our list of known issues. We encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\n\nWe pay bounties based on CVSS scores using our CVSS Bounty Calculator (https://shopify.github.io/appsec/cvss_calculator/), and we usually award bounties within a week of triage.\n\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n\n\nIf you need further clarification of the rules or scope of our bug bounty program, please don't hesitate to contact us at bugbounty@shopify.com.\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe value all security researchers and expect mutual respect between our team and participants. We strive to:\n- Reply to all reports within one business day and triage within two business days (if applicable).\n- Be as transparent as possible, answering all inquiries about our report decisions and adding hackers to duplicate HackerOne reports.\n- Award bounties within a week of triage (excluding extenuating circumstances).\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types`, or lacks evidence of a vulnerability.\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. All Shopify developed applications are in scope (https://apps.shopify.com/partners/shopify) for this program.\n\nYou should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a response from the developer within one week. If you do so, please include the following information in your report:\n\n- The name of the app\n- The name of the developer\n- The URL of the app\n- The vulnerability you are reporting\n- The steps to reproduce the vulnerability\n- The impact of the vulnerability\n- The severity of the vulnerability\n\nPlease note that Shopify will not pay a bounty for vulnerabilities in third party apps and the report will be closed as \"Informative\".\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed on [the scope page for this program](https://hackerone.com/shopify/policy_scopes). **Valid vulnerabilities on any domain not explicitly listed in scope may be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\n# Typical Bounty Amounts\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact and make a change as a result of the report. Bonuses are determined as a percentage (10% of what the bounty is estimated at for an exploitable issue), with a minimum of $500 and a maximum of $5,000.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity`, and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com, admin.shopify.com, shop.app, server.shop.app, partners.shopify.com and *.shopifycs.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, and our mobile applications.\n\n# Google Play Bonus\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Denial of Service\nIn our commitment to maintaining a secure environment, we value your assistance in identifying Denial of Service (DoS) vulnerabilities that meet our specific criteria. Generally:\n- We only consider DoS issues that can be triggered by a single user with a single request.\n- We only consider DoS issues that cause a significant disruption to the **entire* service, not just an individual shop or instance\n- We explicitly do not accept any kind of DDOS (Distributed Denial of Service) issues. \n- Slow requests that eventually complete successfully without rendering the service unavailable do **not** constitute an availability impact for our program \n\nIf you think you have found an eligible DoS issue, please include the following information in your report:\n- The URL of the page that is vulnerable to DoS\n- The X-Request-ID of the HTTP response that causes the DoS\n- The HTTP request that causes the DoS\n- The HTTP response that is returned by the server after the DoS has been triggered\n- The time it takes for the DoS to be triggered\n\n# Known issues\n\nThe following issues or behaviours are by design or otherwise known to Shopify. Submitting a report that falls into this category will result in the report being closed as **Not Applicable**.\n\n**XSS - At Shopify we allow merchants to use HTML in their store descriptions, product descriptions, and other fields. We do not consider this a vulnerability.**\n\nThe following XSS (Cross-Site Scripting) types are explicitly out of scope for this program:\n  - **XSS Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n  - **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n  -  **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n  - **XSS - Shopify Checkout** - Any issue where a store staff member is able to insert javascript in the checkout area of their own store (this includes *.shopifypreview.com).\n  - **XSS - Set Header** -Any issue that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n  - **XSS - Inspect Element/Console** - Any issue that requires the use of the browser's developer tools to execute javascript.\n  - **XSS - Self-XSS** - Any issue without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n\n**CDN - At Shopify we encourage merchants to use our CDN (static.shopify.com, cdn.shopify.com and other storage domains) to host any files they want. We do not consider this a vulnerability because this content runs in a separate context and cannot directly impact our platform.**\n\nThe following CDN (Content Distribution Network) types are explicitly out of scope for this program and will be closed as `Not Applicable`:\n  - **CDN - Arbitrary file upload** - Any issue where a store staff member is able to upload arbitrary files to our CDN.\n  - **CDN - Stored XSS** - Any issue where a store staff member is able to upload arbitrary files to our CDN and execute javascript in the context of a CDN domain. (static.shopify.com and cdn.shopify.com).\n  - **CDN - Sensitive data disclosure** - All files on the Content Delivery Network (cdn.shopify.com) are public by design.\n\n\nThe following CSRF (Cross-Site Request Forgery) types are explicitly out of scope:\n  - CSRF access to modify cart\n  - CSRF for Login or Logout (unless it is chained together with another vulnerability to demonstrate impact)\n\n**Shopify hosted stores - There are a number of commonly reported false positives in Shopify hosted (*.myshopify.com) stores that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n- **Staff access to**:\n  - /admin/settings/shop.json\n  - /admin/settings/account.json\n  - /admin/settings/users.json\n  - /admin/settings/locations.json\n- **Intended Public files**:\n  - payments/config.json\n- **Password reset tokens don’t expire when changing email address**\n- **Email address doesn't require verification on signup**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **User or store name enumeration**\n- **Insecure “Opening Soon” password**\n- **User permission issues in Stocky**\n- **Template sanitization bypasses in Order Printer**\n\n\n**Mobile / PoS - There are a number of commonly reported false positives in the Shopify mobile applications that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n  - **Physical access to the device** Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n  - **Mobile application biometrics bypass**\n  - **Lack of mobile binary protection or SSL pinning**\n  - **Lack of mobile application encryption**\n  - **Issues that can only be exploited on an emulated device**\n  - **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n\n# Potential Ineligible vulnerability types\n\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n- **Open Redirect** - Any issue that allows a user to be redirected to an arbitrary URL without user interaction, unless it is chained together with another vulnerability to demonstrate impact.\n- **SSRF** - There are several places where a SSRF is technically possible, however, a simple HTTP/DNS interaction is not considered a vulnerability by itself. In most cases, these issues will be closed as **Not Applicable**. We are running instances of a service similar to [SSRF-sheriff](https://github.com/teknogeek/ssrf-sheriff) that we built. You can access the instances at `http://web.ssrf-sheriff.svc.cluster.local` for the purpose of validating SSRF findings.\n- **Race Conditions** - If you've encountered a race condition, please ensure that it exploitable and would gain an attacker access to sensitive information. The following race conditions would **not** be eligible:\n  - Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- **Rate limiting / Brute force** - If you've encountered an endpoint that is not rate limited, please ensure that the given endpoint is handling sensitive information. If it is, please provide a proof of concept that demonstrates the ability to brute force the endpoint with at least 300 requests.\n\n# Ineligible vulnerability types\n\nThe following vulnerability types are explicitly out of scope for this program and will be closed as `Not Applicable` immediately:\n\n- **Social Engineering** - Any issue that requires social engineering to be exploited, such as phishing, or impersonation of a Shopify employee. This includes contacting the Shopify Support.\n- **Spam / Flooding** - E-Mail flooding, SMS flooding, or any other type of flooding.\n- **Vulnerability Scanner False Positives** - Any issue that is reported by a vulnerability scanner, but is not exploitable by a human.\n- **Enabled GraphQL introspection query** - We highly recommend researchers to utilize it as a valuable resource.\n- Insecure cookie handling for account identifying cookies.\n- Tab nabbing.\n- Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing).\n- CSV / formula injection.\n- Hyperlink injection.\n- Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.\n- Distributed Denial of Service.\n- Content spoofing.\n- Disclosure of server or software version numbers.\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim.\n- Reports related to permitted password strength.\n- Theoretical sub-domain takeovers with no supporting evidence.\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches).\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers.\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit).\n- Reports related to CVV validation during payment. CVV validation rules may differ across markets, and Shopify implements other controls to protect merchants against fraud based attacks. \n\n## Staff Member Permissions\nShopify has a rich set of granular permissions that we offer in the Shopify admin and the Partners Dashboard. These are documented [here](https://help.shopify.com/en/manual/your-account/staff-accounts/staff-permissions/staff-permissions-descriptions).\n\nThe following are the categories which we consider to have clear CVSS relevance with regards to staff member permissions. If the observed behavior does not fit into these categories, please carefully consider the practical impact of the finding prior to opening a report as it risks being closed as N/A.\n\n- Demonstrates the ability for a staff member to escalate their privileges to one of our _Sensitive Permissions_ (Manage Settings, Manage Payment Settings and Themes).\n  - Valid: Staff member with `orders` permission can perform an action that is normally scoped to `Manage Settings`.\n  - Invalid: Staff member with `Manage Settings` permission can perform an action that is not specifically listed in the public documentation description.\n- Demonstrates a direct financial impact on the Shop (The request made must directly result in the impact).\n  - Valid: Lowering the price of an existing product available on sales channels without the appropriate permission.\n  - Invalid: Adding additional variants of a product at a lower price but without making them available on sales channels.\n- Demonstrates impact on Buyer PII that the staff member isn't already authorized for.\n  - Valid: Staff members having access to read or edit Buyer PII when they aren't authorized to do so.\n  - Invalid: Staff members with the `orders` permission being able read or write basic buyer information.\n\nFor staff permission issues which are not relevant to our bugbounty program, feel free to bring them to the attention of our support team by following the instructions outlined [here](https://github.com/Shopify/bugbounty-resources/blob/master/how_to_report_functional_issues.md).\n\n## Subdomain Takeovers\nReports related to dangling domain records will be evaluated on a case-by-case basis for bounty taking into account several factors, including:\n- The likelihood of a record to be successfully taken over (i.e. can the specific IP that the record points to be readily requisitioned from an owner).\n- The likelihood that traffic would be sent to the specific fully-qualified domain name (FQDN) as part of normal operations.\n- The purpose of the domain if it can be inferred from the record (i.e. test app).\n\nMost of these reports will result in CVSS 0 and, therefore, will be ineligible for a bounty. If you believe you have found a dangling domain record that is likely to be taken over and is likely to receive traffic, please include methodology and evidence in your report.\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We will disqualify you from receiving a reward, and may disqualify you from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-02-14T17:36:42.198Z"},{"id":3712420,"new_policy":"# TL;DR\nAt Shopify, we take merchant trust and safety very seriously. Our maximum bounty of $200,000 reflects that.\n\nTo participate, you must create an account using a `@wearehackerone.com` email address and only test against accounts you create. Before reporting any issues, please review our list of known issues. We encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\n\nWe pay bounties based on CVSS scores using our CVSS Bounty Calculator (https://shopify.github.io/appsec/cvss_calculator/), and we usually award bounties within a week of triage.\n\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n\n\nIf you need further clarification of the rules or scope of our bug bounty program, please don't hesitate to contact us at bugbounty@shopify.com.\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe value all security researchers and expect mutual respect between our team and participants. We strive to:\n- Reply to all reports within one business day and triage within two business days (if applicable).\n- Be as transparent as possible, answering all inquiries about our report decisions and adding hackers to duplicate HackerOne reports.\n- Award bounties within a week of triage (excluding extenuating circumstances).\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types`, or lacks evidence of a vulnerability.\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. All Shopify developed applications are in scope (https://apps.shopify.com/partners/shopify) for this program.\n\nYou should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a response from the developer within one week. If you do so, please include the following information in your report:\n\n- The name of the app\n- The name of the developer\n- The URL of the app\n- The vulnerability you are reporting\n- The steps to reproduce the vulnerability\n- The impact of the vulnerability\n- The severity of the vulnerability\n\nPlease note that Shopify will not pay a bounty for vulnerabilities in third party apps and the report will be closed as \"Informative\".\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed on [the scope page for this program](https://hackerone.com/shopify/policy_scopes). **Valid vulnerabilities on any domain not explicitly listed in scope may be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\n# Typical Bounty Amounts\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact and make a change as a result of the report. Bonuses are determined as a percentage (10% of what the bounty is estimated at for an exploitable issue), with a minimum of $500 and a maximum of $5,000.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity`, and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com, shop.pay, and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, and our mobile applications.\n\n# Google Play Bonus\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Denial of Service\nWe encourage you to report any Denial of Service (DoS) issues you find. However, we only accept DoS issues that are exploitable by a single user with a single request. We explicitly do not accept any kind of DDOS (Distributed Denial of Service) issues. Also, please note that a slow request does **not** constitute an availability impact for our program - if a particular request takes a long time to process, but eventually completes successfully and doesn't cause the service to become unavailable or crash, the availability of the system is not considered to be impacted.\n\nIf you think you have found a DoS issue, please include the following information in your report:\n- The URL of the page that is vulnerable to DoS\n- The X-Request-ID of the HTTP response that causes the DoS\n- The HTTP request that causes the DoS\n- The HTTP response that is returned by the server after the DoS has been triggered\n- The time it takes for the DoS to be triggered\n\n# Known issues\n\nThe following issues or behaviours are by design or otherwise known to Shopify. Submitting a report that falls into this category will result in the report being closed as **Not Applicable**.\n\n**XSS - At Shopify we allow merchants to use HTML in their store descriptions, product descriptions, and other fields. We do not consider this a vulnerability.**\n\nThe following XSS (Cross-Site Scripting) types are explicitly out of scope for this program:\n  - **XSS Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n  - **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n  -  **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n  - **XSS - Shopify Checkout** - Any issue where a store staff member is able to insert javascript in the checkout area of their own store (this includes *.shopifypreview.com).\n  - **XSS - Set Header** -Any issue that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n  - **XSS - Inspect Element/Console** - Any issue that requires the use of the browser's developer tools to execute javascript.\n  - **XSS - Self-XSS** - Any issue without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n\n**CDN - At Shopify we encourage merchants to use our CDN (static.shopify.com, cdn.shopify.com and other storage domains) to host any files they want. We do not consider this a vulnerability because this content runs in a separate context and cannot directly impact our platform.**\n\nThe following CDN (Content Distribution Network) types are explicitly out of scope for this program and will be closed as `Not Applicable`:\n  - **CDN - Arbitrary file upload** - Any issue where a store staff member is able to upload arbitrary files to our CDN.\n  - **CDN - Stored XSS** - Any issue where a store staff member is able to upload arbitrary files to our CDN and execute javascript in the context of a CDN domain. (static.shopify.com and cdn.shopify.com).\n  - **CDN - Sensitive data disclosure** - All files on the Content Delivery Network (cdn.shopify.com) are public by design.\n\n\nThe following CSRF (Cross-Site Request Forgery) types are explicitly out of scope:\n  - CSRF access to modify cart\n  - CSRF for Login or Logout (unless it is chained together with another vulnerability to demonstrate impact)\n\n**Shopify hosted stores - There are a number of commonly reported false positives in Shopify hosted (*.myshopify.com) stores that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n- **Staff access to**:\n  - /admin/settings/shop.json\n  - /admin/settings/account.json\n  - /admin/settings/users.json\n  - /admin/settings/locations.json\n- **Intended Public files**:\n  - payments/config.json\n- **Password reset tokens don’t expire when changing email address**\n- **Email address doesn't require verification on signup**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **User or store name enumeration**\n- **Insecure “Opening Soon” password**\n- **User permission issues in Stocky**\n\n**Mobile / PoS - There are a number of commonly reported false positives in the Shopify mobile applications that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n  - **Physical access to the device** Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n  - **Mobile application biometrics bypass**\n  - **Lack of mobile binary protection or SSL pinning**\n  - **Lack of mobile application encryption**\n  - **Issues that can only be exploited on an emulated device**\n  - **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n\n# Potential Ineligible vulnerability types\n\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n- **Open Redirect** - Any issue that allows a user to be redirected to an arbitrary URL without user interaction, unless it is chained together with another vulnerability to demonstrate impact.\n- **SSRF** - There are several places where a SSRF is technically possible, however, a simple HTTP/DNS interaction is not considered a vulnerability by itself. In most cases, these issues will be closed as **Not Applicable**. We are running instances of a service similar to [SSRF-sheriff](https://github.com/teknogeek/ssrf-sheriff) that we built. You can access the instances at `http://web.ssrf-sheriff.svc.cluster.local` for the purpose of validating SSRF findings.\n- **Race Conditions** - If you've encountered a race condition, please ensure that it exploitable and would gain an attacker access to sensitive information. The following race conditions would **not** be eligible:\n  - Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- **Rate limiting / Brute force** - If you've encountered an endpoint that is not rate limited, please ensure that the given endpoint is handling sensitive information. If it is, please provide a proof of concept that demonstrates the ability to brute force the endpoint with at least 300 requests.\n\n# Ineligible vulnerability types\n\nThe following vulnerability types are explicitly out of scope for this program and will be closed as `Not Applicable` immediately:\n\n- **Social Engineering** - Any issue that requires social engineering to be exploited, such as phishing, or impersonation of a Shopify employee. This includes contacting the Shopify Support.\n- **Spam / Flooding** - E-Mail flooding, SMS flooding, or any other type of flooding.\n- **Vulnerability Scanner False Positives** - Any issue that is reported by a vulnerability scanner, but is not exploitable by a human.\n- **Enabled GraphQL introspection query** - We highly recommend researchers to utilize it as a valuable resource.\n- Insecure cookie handling for account identifying cookies.\n- Tab nabbing.\n- Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing).\n- CSV / formula injection.\n- Hyperlink injection.\n- Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.\n- Distributed Denial of Service.\n- Content spoofing.\n- Disclosure of server or software version numbers.\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim.\n- Reports related to permitted password strength.\n- Theoretical sub-domain takeovers with no supporting evidence.\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches).\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers.\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit).\n- Failure to implement security best practices such as rate limiting, CSP, minimum password strength, and mobile binary protection without demonstrating direct impact to users.\n\n## Staff Member Permissions\nShopify has a rich set of granular permissions that we offer in the Shopify admin and the Partners Dashboard. These are documented [here](https://help.shopify.com/en/manual/your-account/staff-accounts/staff-permissions/staff-permissions-descriptions).\n\nThe following are the categories which we consider to have clear CVSS relevance with regards to staff member permissions. If the observed behavior does not fit into these categories, please carefully consider the practical impact of the finding prior to opening a report as it risks being closed as N/A.\n\n- Demonstrates the ability for a staff member to escalate their privileges to one of our _Sensitive Permissions_ (Manage Settings, Manage Payment Settings and Themes).\n  - Valid: Staff member with `orders` permission can perform an action that is normally scoped to `Manage Settings`.\n  - Invalid: Staff member with `Manage Settings` permission can perform an action that is not specifically listed in the public documentation description.\n- Demonstrates a direct financial impact on the Shop (The request made must directly result in the impact).\n  - Valid: Lowering the price of an existing product available on sales channels without the appropriate permission.\n  - Invalid: Adding additional variants of a product at a lower price but without making them available on sales channels.\n- Demonstrates impact on Buyer PII that the staff member isn't already authorized for.\n  - Valid: Staff members having access to read or edit Buyer PII when they aren't authorized to do so.\n  - Invalid: Staff members with the `orders` permission being able read or write basic buyer information.\n\nFor staff permission issues which are not relevant to our bugbounty program, feel free to bring them to the attention of our support team by following the instructions outlined [here](https://github.com/Shopify/bugbounty-resources/blob/master/how_to_report_functional_issues.md).\n\n## Subdomain Takeovers\nReports related to dangling domain records will be evaluated on a case-by-case basis for bounty taking into account several factors, including:\n- The likelihood of a record to be successfully taken over (i.e. can the specific IP that the record points to be readily requisitioned from an owner).\n- The likelihood that traffic would be sent to the specific fully-qualified domain name (FQDN) as part of normal operations.\n- The purpose of the domain if it can be inferred from the record (i.e. test app).\n\nMost of these reports will result in CVSS 0 and, therefore, will be ineligible for a bounty. If you believe you have found a dangling domain record that is likely to be taken over and is likely to receive traffic, please include methodology and evidence in your report.\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We will disqualify you from receiving a reward, and may disqualify you from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-02-09T19:49:12.936Z"},{"id":3710148,"new_policy":"# TL;DR\nAt Shopify, we take merchant trust and safety very seriously. Our maximum bounty of $200,000 reflects that.\n\nTo participate, you must create an account using a `@wearehackerone.com` email address and only test against accounts you create. Before reporting any issues, please review our list of known issues. We encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\n\nWe pay bounties based on CVSS scores using our CVSS Bounty Calculator (https://shopify.github.io/appsec/cvss_calculator/), and we usually award bounties within a week of triage.\n\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n\n\nIf you need further clarification of the rules or scope of our bug bounty program, please don't hesitate to contact us at bugbounty@shopify.com.\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe value all security researchers and expect mutual respect between our team and participants. We strive to:\n- Reply to all reports within one business day and triage within two business days (if applicable).\n- Be as transparent as possible, answering all inquiries about our report decisions and adding hackers to duplicate HackerOne reports.\n- Award bounties within a week of triage (excluding extenuating circumstances).\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types`, or lacks evidence of a vulnerability.\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. All Shopify developed applications are in scope (https://apps.shopify.com/partners/shopify) for this program.\n\nYou should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a response from the developer within one week. If you do so, please include the following information in your report:\n\n- The name of the app\n- The name of the developer\n- The URL of the app\n- The vulnerability you are reporting\n- The steps to reproduce the vulnerability\n- The impact of the vulnerability\n- The severity of the vulnerability\n\nPlease note that Shopify will not pay a bounty for vulnerabilities in third party apps and the report will be closed as \"Informative\".\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed on [the scope page for this program](https://hackerone.com/shopify/policy_scopes). **Valid vulnerabilities on any domain not explicitly listed in scope may be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\n# Typical Bounty Amounts\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact and make a change as a result of the report. Bonuses are determined as a percentage (10% of what the bounty is estimated at for an exploitable issue), with a minimum of $500 and a maximum of $5,000.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity`, and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com, shop.pay, and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, and our mobile applications.\n\n# Google Play Bonus\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Denial of Service\nWe encourage you to report any Denial of Service (DoS) issues you find. However, we only accept DoS issues that are exploitable by a single user with a single request. We explicitly do not accept any kind of DDOS (Distributed Denial of Service) issues. Also, please note that a slow request does **not** constitute an availability impact for our program - if a particular request takes a long time to process, but eventually completes successfully and doesn't cause the service to become unavailable or crash, the availability of the system is not considered to be impacted.\n\nIf you think you have found a DoS issue, please include the following information in your report:\n- The URL of the page that is vulnerable to DoS\n- The X-Request-ID of the HTTP response that causes the DoS\n- The HTTP request that causes the DoS\n- The HTTP response that is returned by the server after the DoS has been triggered\n- The time it takes for the DoS to be triggered\n\n# Known issues\n\nThe following issues or behaviours are by design or otherwise known to Shopify. Submitting a report that falls into this category will result in the report being closed as **Not Applicable**.\n\n**XSS - At Shopify we allow merchants to use HTML in their store descriptions, product descriptions, and other fields. We do not consider this a vulnerability.**\n\nThe following XSS (Cross-Site Scripting) types are explicitly out of scope for this program:\n  - **XSS Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n  - **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n  -  **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n  - **XSS - Shopify Checkout** - Any issue where a store staff member is able to insert javascript in the checkout area of their own store (this includes *.shopifypreview.com).\n  - **XSS - Set Header** -Any issue that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n  - **XSS - Inspect Element/Console** - Any issue that requires the use of the browser's developer tools to execute javascript.\n  - **XSS - Self-XSS** - Any issue without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n\n**CDN - At Shopify we encourage merchants to use our CDN (static.shopify.com, cdn.shopify.com and other storage domains) to host any files they want. We do not consider this a vulnerability because this content runs in a separate context and cannot directly impact our platform.**\n\nThe following CDN (Content Distribution Network) types are explicitly out of scope for this program and will be closed as `Not Applicable`:\n  - **CDN - Arbitrary file upload** - Any issue where a store staff member is able to upload arbitrary files to our CDN.\n  - **CDN - Stored XSS** - Any issue where a store staff member is able to upload arbitrary files to our CDN and execute javascript in the context of a CDN domain. (static.shopify.com and cdn.shopify.com).\n  - **CDN - Sensitive data disclosure** - All files on the Content Delivery Network (cdn.shopify.com) are public by design.\n\n\nThe following CSRF (Cross-Site Request Forgery) types are explicitly out of scope:\n  - CSRF access to modify cart\n  - CSRF for Login or Logout (unless it is chained together with another vulnerability to demonstrate impact)\n\n**Shopify hosted stores - There are a number of commonly reported false positives in Shopify hosted (*.myshopify.com) stores that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n- **Staff access to**:\n  - /admin/settings/shop.json\n  - /admin/settings/account.json\n  - /admin/settings/users.json\n  - /admin/settings/locations.json\n- **Intended Public files**:\n  - payments/config.json\n- **Password reset tokens don’t expire when changing email address**\n- **Email address doesn't require verification on signup**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **User or store name enumeration**\n- **Insecure “Opening Soon” password**\n- **User permission issues in Stocky**\n\n**Mobile / PoS - There are a number of commonly reported false positives in the Shopify mobile applications that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n  - **Physical access to the device** Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n  - **Mobile application biometrics bypass**\n  - **Lack of mobile binary protection or SSL pinning**\n  - **Lack of mobile application encryption**\n  - **Issues that can only be exploited on an emulated device**\n  - **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n\n# Potential Ineligible vulnerability types\n\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n- **Open Redirect** - Any issue that allows a user to be redirected to an arbitrary URL without user interaction, unless it is chained together with another vulnerability to demonstrate impact.\n- **SSRF** - There are several places where a SSRF is technically possible, however, a simple HTTP/DNS interaction is not considered a vulnerability by itself. In most cases, these issues will be closed as **Not Applicable**.\n- **Race Conditions** - If you've encountered a race condition, please ensure that it exploitable and would gain an attacker access to sensitive information. The following race conditions would **not** be eligible:\n  - Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- **Rate limiting / Brute force** - If you've encountered an endpoint that is not rate limited, please ensure that the given endpoint is handling sensitive information. If it is, please provide a proof of concept that demonstrates the ability to brute force the endpoint with at least 300 requests.\n\n# Ineligible vulnerability types\n\nThe following vulnerability types are explicitly out of scope for this program and will be closed as `Not Applicable` immediately:\n\n- **Social Engineering** - Any issue that requires social engineering to be exploited, such as phishing, or impersonation of a Shopify employee. This includes contacting the Shopify Support.\n- **Spam / Flooding** - E-Mail flooding, SMS flooding, or any other type of flooding.\n- **Vulnerability Scanner False Positives** - Any issue that is reported by a vulnerability scanner, but is not exploitable by a human.\n- **Enabled GraphQL introspection query** - We highly recommend researchers to utilize it as a valuable resource.\n- Insecure cookie handling for account identifying cookies.\n- Tab nabbing.\n- Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing).\n- CSV / formula injection.\n- Hyperlink injection.\n- Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.\n- Distributed Denial of Service.\n- Content spoofing.\n- Disclosure of server or software version numbers.\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim.\n- Reports related to permitted password strength.\n- Theoretical sub-domain takeovers with no supporting evidence.\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches).\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers.\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit).\n- Failure to implement security best practices such as rate limiting, CSP, minimum password strength, and mobile binary protection without demonstrating direct impact to users.\n\n## Staff Member Permissions\nShopify has a rich set of granular permissions that we offer in the Shopify admin and the Partners Dashboard. These are documented [here](https://help.shopify.com/en/manual/your-account/staff-accounts/staff-permissions/staff-permissions-descriptions).\n\nThe following are the categories which we consider to have clear CVSS relevance with regards to staff member permissions. If the observed behavior does not fit into these categories, please carefully consider the practical impact of the finding prior to opening a report as it risks being closed as N/A.\n\n- Demonstrates the ability for a staff member to escalate their privileges to one of our _Sensitive Permissions_ (Manage Settings, Manage Payment Settings and Themes).\n  - Valid: Staff member with `orders` permission can perform an action that is normally scoped to `Manage Settings`.\n  - Invalid: Staff member with `Manage Settings` permission can perform an action that is not specifically listed in the public documentation description.\n- Demonstrates a direct financial impact on the Shop (The request made must directly result in the impact).\n  - Valid: Lowering the price of an existing product available on sales channels without the appropriate permission.\n  - Invalid: Adding additional variants of a product at a lower price but without making them available on sales channels.\n- Demonstrates impact on Buyer PII that the staff member isn't already authorized for.\n  - Valid: Staff members having access to read or edit Buyer PII when they aren't authorized to do so.\n  - Invalid: Staff members with the `orders` permission being able read or write basic buyer information.\n\nFor staff permission issues which are not relevant to our bugbounty program, feel free to bring them to the attention of our support team by following the instructions outlined [here](https://github.com/Shopify/bugbounty-resources/blob/master/how_to_report_functional_issues.md).\n\n## Subdomain Takeovers\nReports related to dangling domain records will be evaluated on a case-by-case basis for bounty taking into account several factors, including:\n- The likelihood of a record to be successfully taken over (i.e. can the specific IP that the record points to be readily requisitioned from an owner).\n- The likelihood that traffic would be sent to the specific fully-qualified domain name (FQDN) as part of normal operations.\n- The purpose of the domain if it can be inferred from the record (i.e. test app).\n\nMost of these reports will result in CVSS 0 and, therefore, will be ineligible for a bounty. If you believe you have found a dangling domain record that is likely to be taken over and is likely to receive traffic, please include methodology and evidence in your report.\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We will disqualify you from receiving a reward, and may disqualify you from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-03T16:16:42.559Z"},{"id":3710094,"new_policy":"# TL;DR\nAt Shopify, we take merchant trust and safety very seriously. Our maximum bounty of $200,000 reflects that.\n\nTo participate, you must create an account using a `@wearehackerone.com` email address and only test against accounts you create. Before reporting any issues, please review our list of known issues. We encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\n\nWe pay bounties based on CVSS scores using our CVSS Bounty Calculator (https://shopify.github.io/appsec/cvss_calculator/), and we usually award bounties within a week of triage.\n\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n\n\nIf you need further clarification of the rules or scope of our bug bounty program, please don't hesitate to contact us at bugbounty@shopify.com.\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe value all security researchers and expect mutual respect between our team and participants. We strive to:\n- Reply to all reports within one business day and triage within two business days (if applicable).\n- Be as transparent as possible, answering all inquiries about our report decisions and adding hackers to duplicate HackerOne reports.\n- Award bounties within a week of triage (excluding extenuating circumstances).\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types`, or lacks evidence of a vulnerability.\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. All Shopify developed applications are in scope (https://apps.shopify.com/partners/shopify) for this program.\n\nYou should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a response from the developer within one week. If you do so, please include the following information in your report:\n\n- The name of the app\n- The name of the developer\n- The URL of the app\n- The vulnerability you are reporting\n- The steps to reproduce the vulnerability\n- The impact of the vulnerability\n- The severity of the vulnerability\n\nPlease note that Shopify will not pay a bounty for vulnerabilities in third party apps and the report will be closed as \"Informative\".\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed on [the scope page for this program](https://hackerone.com/shopify/policy_scopes). **Valid vulnerabilities on any domain not explicitly listed in scope may be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\n# Typical Bounty Amounts\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact and make a change as a result of the report. Bonuses are determined as a percentage (10% of what the bounty is estimated at for an exploitable issue), with a minimum of $500 and a maximum of $5,000.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity`, and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com, shop.pay, and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, and our mobile applications.\n\n# Google Play Bonus\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Denial of Service\nWe encourage you to report any Denial of Service (DoS) issues you find. However, we only accept DoS issues that are exploitable by a single user with a single request. We explicitly do not accept any kind of DDOS (Distributed Denial of Service) issues. Also, please note that a slow request does **not** constitute an availability impact for our program - if a particular request takes a long time to process, but eventually completes successfully and doesn't cause the service to become unavailable or crash, the availability of the system is not considered to be impacted.\n\nIf you think you have found a DoS issue, please include the following information in your report:\n- The URL of the page that is vulnerable to DoS\n- The X-Request-ID of the HTTP response that causes the DoS\n- The HTTP request that causes the DoS\n- The HTTP response that is returned by the server after the DoS has been triggered\n- The time it takes for the DoS to be triggered\n\n# Known issues\n\nThe following issues or behaviours are by design or otherwise known to Shopify. Submitting a report that falls into this category will result in the report being closed as **Not Applicable**.\n\n**XSS - At Shopify we allow merchants to use HTML in their store descriptions, product descriptions, and other fields. We do not consider this a vulnerability.**\n\nThe following XSS (Cross-Site Scripting) types are explicitly out of scope for this program:\n  - **XSS Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n  - **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n  -  **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n  - **XSS - Shopify Checkout** - Any issue where a store staff member is able to insert javascript in the checkout area of their own store (this includes *.shopifypreview.com).\n  - **XSS - Set Header** -Any issue that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n  - **XSS - Inspect Element/Console** - Any issue that requires the use of the browser's developer tools to execute javascript.\n  - **XSS - Self-XSS** - Any issue without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n\n**CDN - At Shopify we encourage merchants to use our CDN (static.shopify.com, cdn.shopify.com and other storage domains) to host any files they want. We do not consider this a vulnerability because this content runs in a separate context and cannot directly impact our platform.**\n\nThe following CDN (Content Distribution Network) types are explicitly out of scope for this program and will be closed as `Not Applicable`:\n  - **CDN - Arbitrary file upload** - Any issue where a store staff member is able to upload arbitrary files to our CDN.\n  - **CDN - Stored XSS** - Any issue where a store staff member is able to upload arbitrary files to our CDN and execute javascript in the context of a CDN domain. (static.shopify.com and cdn.shopify.com).\n  - **CDN - Sensitive data disclosure** - All files on the Content Delivery Network (cdn.shopify.com) are public by design.\n\n\nThe following CSRF (Cross-Site Request Forgery) types are explicitly out of scope:\n  - CSRF access to modify cart\n  - CSRF for Login or Logout (unless it is chained together with another vulnerability to demonstrate impact)\n\n**Shopify hosted stores - There are a number of commonly reported false positives in Shopify hosted (*.myshopify.com) stores that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n- **Staff access to**:\n  - /admin/settings/shop.json\n  - /admin/settings/account.json\n  - /admin/settings/users.json\n  - /admin/settings/locations.json\n- **Intended Public files**:\n  - payments/config.json\n- **Password reset tokens don’t expire when changing email address**\n- **Email address doesn't require verification on signup**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **User or store name enumeration**\n- **Insecure “Opening Soon” password**\n\n\n**Mobile / PoS - There are a number of commonly reported false positives in the Shopify mobile applications that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n  - **Physical access to the device** Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n  - **Mobile application biometrics bypass**\n  - **Lack of mobile binary protection or SSL pinning**\n  - **Lack of mobile application encryption**\n  - **Issues that can only be exploited on an emulated device**\n  - **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n\n# Potential Ineligible vulnerability types\n\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n- **Open Redirect** - Any issue that allows a user to be redirected to an arbitrary URL without user interaction, unless it is chained together with another vulnerability to demonstrate impact.\n- **SSRF** - There are several places where a SSRF is technically possible, however, a simple HTTP/DNS interaction is not considered a vulnerability by itself. In most cases, these issues will be closed as **Not Applicable**.\n- **Race Conditions** - If you've encountered a race condition, please ensure that it exploitable and would gain an attacker access to sensitive information. The following race conditions would **not** be eligible:\n  - Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- **Rate limiting / Brute force** - If you've encountered an endpoint that is not rate limited, please ensure that the given endpoint is handling sensitive information. If it is, please provide a proof of concept that demonstrates the ability to brute force the endpoint with at least 300 requests.\n\n# Ineligible vulnerability types\n\nThe following vulnerability types are explicitly out of scope for this program and will be closed as `Not Applicable` immediately:\n\n- **Social Engineering** - Any issue that requires social engineering to be exploited, such as phishing, or impersonation of a Shopify employee. This includes contacting the Shopify Support.\n- **Spam / Flooding** - E-Mail flooding, SMS flooding, or any other type of flooding.\n- **Vulnerability Scanner False Positives** - Any issue that is reported by a vulnerability scanner, but is not exploitable by a human.\n- **Enabled GraphQL introspection query** - We highly recommend researchers to utilize it as a valuable resource.\n- Insecure cookie handling for account identifying cookies.\n- Tab nabbing.\n- Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing).\n- CSV / formula injection.\n- Hyperlink injection.\n- Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.\n- Distributed Denial of Service.\n- Content spoofing.\n- Disclosure of server or software version numbers.\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim.\n- Reports related to permitted password strength.\n- Theoretical sub-domain takeovers with no supporting evidence.\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches).\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers.\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit).\n- Failure to implement security best practices such as rate limiting, CSP, minimum password strength, and mobile binary protection without demonstrating direct impact to users.\n\n## Staff Member Permissions\nShopify has a rich set of granular permissions that we offer in the Shopify admin and the Partners Dashboard. These are documented [here](https://help.shopify.com/en/manual/your-account/staff-accounts/staff-permissions/staff-permissions-descriptions).\n\nThe following are the categories which we consider to have clear CVSS relevance with regards to staff member permissions. If the observed behavior does not fit into these categories, please carefully consider the practical impact of the finding prior to opening a report as it risks being closed as N/A.\n\n- Demonstrates the ability for a staff member to escalate their privileges to one of our _Sensitive Permissions_ (Manage Settings, Manage Payment Settings and Themes).\n  - Valid: Staff member with `orders` permission can perform an action that is normally scoped to `Manage Settings`.\n  - Invalid: Staff member with `Manage Settings` permission can perform an action that is not specifically listed in the public documentation description.\n- Demonstrates a direct financial impact on the Shop (The request made must directly result in the impact).\n  - Valid: Lowering the price of an existing product available on sales channels without the appropriate permission.\n  - Invalid: Adding additional variants of a product at a lower price but without making them available on sales channels.\n- Demonstrates impact on Buyer PII that the staff member isn't already authorized for.\n  - Valid: Staff members having access to read or edit Buyer PII when they aren't authorized to do so.\n  - Invalid: Staff members with the `orders` permission being able read or write basic buyer information.\n\nFor staff permission issues which are not relevant to our bugbounty program, feel free to bring them to the attention of our support team by following the instructions outlined [here](https://github.com/Shopify/bugbounty-resources/blob/master/how_to_report_functional_issues.md).\n\n## Subdomain Takeovers\nReports related to dangling domain records will be evaluated on a case-by-case basis for bounty taking into account several factors, including:\n- The likelihood of a record to be successfully taken over (i.e. can the specific IP that the record points to be readily requisitioned from an owner).\n- The likelihood that traffic would be sent to the specific fully-qualified domain name (FQDN) as part of normal operations.\n- The purpose of the domain if it can be inferred from the record (i.e. test app).\n\nMost of these reports will result in CVSS 0 and, therefore, will be ineligible for a bounty. If you believe you have found a dangling domain record that is likely to be taken over and is likely to receive traffic, please include methodology and evidence in your report.\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We will disqualify you from receiving a reward, and may disqualify you from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-02T17:46:00.512Z"},{"id":3706762,"new_policy":"# TL;DR\nAt Shopify, we take merchant trust and safety very seriously. Our maximum bounty of $200,000 reflects that.\n\nTo participate, you must create an account using a `@wearehackerone.com` email address and only test against accounts you create. Before reporting any issues, please review our list of known issues. We encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\n\nWe pay bounties based on CVSS scores using our CVSS Bounty Calculator (https://shopify.github.io/appsec/cvss_calculator/), and we usually award bounties within a week of triage.\n\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n\n\nIf you need further clarification of the rules or scope of our bug bounty program, please don't hesitate to contact us at bugbounty@shopify.com.\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe value all security researchers and expect mutual respect between our team and participants. We strive to:\n- Reply to all reports within one business day and triage within two business days (if applicable).\n- Be as transparent as possible, answering all inquiries about our report decisions and adding hackers to duplicate HackerOne reports.\n- Award bounties within a week of triage (excluding extenuating circumstances).\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types`, or lacks evidence of a vulnerability.\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. All Shopify developed applications are in scope (https://apps.shopify.com/partners/shopify) for this program.\n\nYou should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a response from the developer within one week. If you do so, please include the following information in your report:\n\n- The name of the app\n- The name of the developer\n- The URL of the app\n- The vulnerability you are reporting\n- The steps to reproduce the vulnerability\n- The impact of the vulnerability\n- The severity of the vulnerability\n\nPlease note that Shopify will not pay a bounty for vulnerabilities in third party apps and the report will be closed as \"Informative\".\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed on [the scope page for this program](https://hackerone.com/shopify/policy_scopes). **Valid vulnerabilities on any domain not explicitly listed in scope may be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\n# Typical Bounty Amounts\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact and make a change as a result of the report. Bonuses are determined as a percentage (10% of what the bounty is estimated at for an exploitable issue), with a minimum of $500 and a maximum of $5,000.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity`, and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com, shop.pay, and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, and our mobile applications.\n\n# Google Play Bonus\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Denial of Service\nWe encourage you to report any Denial of Service (DoS) issues you find. However, we only accept DoS issues that are exploitable by a single user with a single request. We explicitly do not accept any kind of DDOS (Distributed Denial of Service) issues. Also, please note that a slow request does **not** constitute an availability impact for our program - if a particular request takes a long time to process, but eventually completes successfully and doesn't cause the service to become unavailable or crash, the availability of the system is not considered to be impacted.\n\nIf you think you have found a DoS issue, please include the following information in your report:\n- The URL of the page that is vulnerable to DoS\n- The X-Request-ID of the HTTP response that causes the DoS\n- The HTTP request that causes the DoS\n- The HTTP response that is returned by the server after the DoS has been triggered\n- The time it takes for the DoS to be triggered\n\n# Known issues\n\nThe following issues or behaviours are by design or otherwise known to Shopify. Submitting a report that falls into this category will result in the report being closed as **Not Applicable**.\n\n**XSS - At Shopify we allow merchants to use HTML in their store descriptions, product descriptions, and other fields. We do not consider this a vulnerability.**\n\nThe following XSS (Cross-Site Scripting) types are explicitly out of scope for this program:\n  - **XSS Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n  - **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n  -  **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n  - **XSS - Shopify Checkout** - Any issue where a store staff member is able to insert javascript in the checkout area of their own store (this includes *.shopifypreview.com).\n  - **XSS - Set Header** -Any issue that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n  - **XSS - Inspect Element/Console** - Any issue that requires the use of the browser's developer tools to execute javascript.\n  - **XSS - Self-XSS** - Any issue without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n\n**CDN - At Shopify we encourage merchants to use our CDN (static.shopify.com, cdn.shopify.com and other storage domains) to host any files they want. We do not consider this a vulnerability because this content runs in a separate context and cannot directly impact our platform.**\n\nThe following CDN (Content Distribution Network) types are explicitly out of scope for this program and will be closed as `Not Applicable`:\n  - **CDN - Arbitrary file upload** - Any issue where a store staff member is able to upload arbitrary files to our CDN.\n  - **CDN - Stored XSS** - Any issue where a store staff member is able to upload arbitrary files to our CDN and execute javascript in the context of a CDN domain. (static.shopify.com and cdn.shopify.com).\n  - **CDN - Sensitive data disclosure** - All files on the Content Delivery Network (cdn.shopify.com) are public by design.\n\n\nThe following CSRF (Cross-Site Request Forgery) types are explicitly out of scope:\n  - CSRF access to modify cart\n  - CSRF for Login or Logout (unless it is chained together with another vulnerability to demonstrate impact)\n\n**Shopify hosted stores - There are a number of commonly reported false positives in Shopify hosted (*.myshopify.com) stores that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n- **Staff access to**:\n  - /admin/settings/shop.json\n  - /admin/settings/account.json\n  - /admin/settings/users.json\n  - /admin/settings/locations.json\n- **Intended Public files**:\n  - payments/config.json\n- **Password reset tokens don’t expire when changing email address**\n- **Email address doesn't require verification on signup**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **User or store name enumeration**\n- **Insecure “Opening Soon” password**\n\n\n**Mobile / PoS - There are a number of commonly reported false positives in the Shopify mobile applications that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n  - **Physical access to the device** Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n  - **Mobile application biometrics bypass**\n  - **Lack of mobile binary protection or SSL pinning**\n  - **Lack of mobile application encryption**\n  - **Issues that can only be exploited on an emulated device**\n  - **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n\n# Potential Ineligible vulnerability types\n\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n- **Open Redirect** - Any issue that allows a user to be redirected to an arbitrary URL without user interaction, unless it is chained together with another vulnerability to demonstrate impact.\n- **SSRF** - There are several places where a SSRF is technically possible, however, a simple HTTP/DNS interaction is not considered a vulnerability by itself. In most cases, these issues will be closed as **Not Applicable**.\n- **Race Conditions** - If you've encountered a race condition, please ensure that it exploitable and would gain an attacker access to sensitive information. The following race conditions would **not** be eligible:\n  - Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- **Rate limiting / Brute force** - If you've encountered an endpoint that is not rate limited, please ensure that the given endpoint is handling sensitive information. If it is, please provide a proof of concept that demonstrates the ability to brute force the endpoint with at least 300 requests.\n\n# Ineligible vulnerability types\n\nThe following vulnerability types are explicitly out of scope for this program and will be closed as `Not Applicable` immediately:\n\n- **Social Engineering** - Any issue that requires social engineering to be exploited, such as phishing, or impersonation of a Shopify employee. This includes contacting the Shopify Support.\n- **Spam / Flooding** - E-Mail flooding, SMS flooding, or any other type of flooding.\n- **Vulnerability Scanner False Positives** - Any issue that is reported by a vulnerability scanner, but is not exploitable by a human.\n- **Enabled GraphQL introspection query** - We highly recommend researchers to utilize it as a valuable resource.\n- Insecure cookie handling for account identifying cookies.\n- Tab nabbing.\n- Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing).\n- CSV / formula injection.\n- Hyperlink injection.\n- Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.\n- Distributed Denial of Service.\n- Content spoofing.\n- Disclosure of server or software version numbers.\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim.\n- Reports related to permitted password strength.\n- Theoretical sub-domain takeovers with no supporting evidence.\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches).\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers.\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit).\n\n## Staff Member Permissions\nShopify has a rich set of granular permissions that we offer in the Shopify admin and the Partners Dashboard. These are documented [here](https://help.shopify.com/en/manual/your-account/staff-accounts/staff-permissions/staff-permissions-descriptions).\n\nThe following are the categories which we consider to have clear CVSS relevance with regards to staff member permissions. If the observed behavior does not fit into these categories, please carefully consider the practical impact of the finding prior to opening a report as it risks being closed as N/A.\n\n- Demonstrates the ability for a staff member to escalate their privileges to one of our _Sensitive Permissions_ (Manage Settings, Manage Payment Settings and Themes).\n  - Valid: Staff member with `orders` permission can perform an action that is normally scoped to `Manage Settings`.\n  - Invalid: Staff member with `Manage Settings` permission can perform an action that is not specifically listed in the public documentation description.\n- Demonstrates a direct financial impact on the Shop (The request made must directly result in the impact).\n  - Valid: Lowering the price of an existing product available on sales channels without the appropriate permission.\n  - Invalid: Adding additional variants of a product at a lower price but without making them available on sales channels.\n- Demonstrates impact on Buyer PII that the staff member isn't already authorized for.\n  - Valid: Staff members having access to read or edit Buyer PII when they aren't authorized to do so.\n  - Invalid: Staff members with the `orders` permission being able read or write basic buyer information.\n\nFor staff permission issues which are not relevant to our bugbounty program, feel free to bring them to the attention of our support team by following the instructions outlined [here](https://github.com/Shopify/bugbounty-resources/blob/master/how_to_report_functional_issues.md).\n\n## Subdomain Takeovers\nReports related to dangling domain records will be evaluated on a case-by-case basis for bounty taking into account several factors, including:\n- The likelihood of a record to be successfully taken over (i.e. can the specific IP that the record points to be readily requisitioned from an owner).\n- The likelihood that traffic would be sent to the specific fully-qualified domain name (FQDN) as part of normal operations.\n- The purpose of the domain if it can be inferred from the record (i.e. test app).\n\nMost of these reports will result in CVSS 0 and, therefore, will be ineligible for a bounty. If you believe you have found a dangling domain record that is likely to be taken over and is likely to receive traffic, please include methodology and evidence in your report.\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We will disqualify you from receiving a reward, and may disqualify you from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-11-07T22:51:58.126Z"},{"id":3703273,"new_policy":"# TL;DR\nAt Shopify, we take merchant trust and safety very seriously. Our maximum bounty of $200,000 reflects that.\n\nTo participate, you must create an account using a `@wearehackerone.com` email address and only test against accounts you create. Before reporting any issues, please review our list of known issues. We encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\n\nWe pay bounties based on CVSS scores using our CVSS Bounty Calculator (https://shopify.github.io/appsec/cvss_calculator/), and we usually award bounties within a week of triage.\n\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n\n\nIf you need further clarification of the rules or scope of our bug bounty program, please don't hesitate to contact us at bugbounty@shopify.com.\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe value all security researchers and expect mutual respect between our team and participants. We strive to:\n- Reply to all reports within one business day and triage within two business days (if applicable).\n- Be as transparent as possible, answering all inquiries about our report decisions and adding hackers to duplicate HackerOne reports.\n- Award bounties within a week of triage (excluding extenuating circumstances).\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types`, or lacks evidence of a vulnerability.\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. All Shopify developed applications are in scope (https://apps.shopify.com/partners/shopify) for this program.\n\nYou should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a response from the developer within one week. If you do so, please include the following information in your report:\n\n- The name of the app\n- The name of the developer\n- The URL of the app\n- The vulnerability you are reporting\n- The steps to reproduce the vulnerability\n- The impact of the vulnerability\n- The severity of the vulnerability\n\nPlease note that Shopify will not pay a bounty for vulnerabilities in third party apps and the report will be closed as \"Informative\".\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed on [the scope page for this program](https://hackerone.com/shopify/policy_scopes). **Valid vulnerabilities on any domain not explicitly listed in scope may be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\n# Typical Bounty Amounts\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact and make a change as a result of the report. Bonuses are determined as a percentage (10% of what the bounty is estimated at for an exploitable issue), with a minimum of $500 and a maximum of $5,000.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity`, and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com, shop.pay, and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, and our mobile applications.\n\n# Google Play Bonus\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Denial of Service\nWe encourage you to report any Denial of Service (DoS) issues you find. However, we only accept DoS issues that are exploitable by a single user with a single request. We explicitly do not accept any kind of DDOS (Distributed Denial of Service) issues. Also, please note that a slow request does **not** constitute an availability impact for our program - if a particular request takes a long time to process, but eventually completes successfully and doesn't cause the service to become unavailable or crash, the availability of the system is not considered to be impacted.\n\nIf you think you have found a DoS issue, please include the following information in your report:\n- The URL of the page that is vulnerable to DoS\n- The X-Request-ID of the HTTP response that causes the DoS\n- The HTTP request that causes the DoS\n- The HTTP response that is returned by the server after the DoS has been triggered\n- The time it takes for the DoS to be triggered\n\n# Known issues\n\nThe following issues or behaviours are by design or otherwise known to Shopify. Submitting a report that falls into this category will result in the report being closed as **Not Applicable**.\n\n**XSS - At Shopify we allow merchants to use HTML in their store descriptions, product descriptions, and other fields. We do not consider this a vulnerability.**\n\nThe following XSS (Cross-Site Scripting) types are explicitly out of scope for this program:\n  - **XSS Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n  - **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n  -  **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n  - **XSS - Shopify Checkout** - Any issue where a store staff member is able to insert javascript in the checkout area of their own store (this includes *.shopifypreview.com).\n  - **XSS - Set Header** -Any issue that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n  - **XSS - Inspect Element/Console** - Any issue that requires the use of the browser's developer tools to execute javascript.\n  - **XSS - Self-XSS** - Any issue without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n\n**CDN - At Shopify we encourage merchants to use our CDN (static.shopify.com, cdn.shopify.com and other storage domains) to host any files they want. We do not consider this a vulnerability because this content runs in a separate context and cannot directly impact our platform.**\n\nThe following CDN (Content Distribution Network) types are explicitly out of scope for this program and will be closed as `Not Applicable`:\n  - **CDN - Arbitrary file upload** - Any issue where a store staff member is able to upload arbitrary files to our CDN.\n  - **CDN - Stored XSS** - Any issue where a store staff member is able to upload arbitrary files to our CDN and execute javascript in the context of a CDN domain. (static.shopify.com and cdn.shopify.com).\n  - **CDN - Sensitive data disclosure** - All files on the Content Delivery Network (cdn.shopify.com) are public by design.\n\n\nThe following CSRF (Cross-Site Request Forgery) types are explicitly out of scope:\n  - CSRF access to modify cart\n  - CSRF for Login or Logout (unless it is chained together with another vulnerability to demonstrate impact)\n\n**Shopify hosted stores - There are a number of commonly reported false positives in Shopify hosted (*.myshopify.com) stores that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n- **Staff access to**:\n  - /admin/settings/shop.json\n  - /admin/settings/account.json\n  - /admin/settings/users.json\n  - /admin/settings/locations.json\n- **Intended Public files**:\n  - payments/config.json\n- **Password reset tokens don’t expire when changing email address**\n- **Email address doesn't require verification on signup**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **User or store name enumeration**\n- **Insecure “Opening Soon” password**\n\n\n**Mobile / PoS - There are a number of commonly reported false positives in the Shopify mobile applications that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n  - **Physical access to the device** Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n  - **Mobile application biometrics bypass**\n  - **Lack of mobile binary protection or SSL pinning**\n  - **Lack of mobile application encryption**\n  - **Issues that can only be exploited on an emulated device**\n  - **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n\n# Potential Ineligible vulnerability types\n\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n- **Open Redirect** - Any issue that allows a user to be redirected to an arbitrary URL without user interaction, unless it is chained together with another vulnerability to demonstrate impact.\n- **SSRF** - There are several places where a SSRF is technically possible, however, a simple HTTP/DNS interaction is not considered a vulnerability by itself. In most cases, these issues will be closed as **Not Applicable**.\n- **Race Conditions** - If you've encountered a race condition, please ensure that it exploitable and would gain an attacker access to sensitive information. The following race conditions would **not** be eligible:\n  - Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- **Rate limiting / Brute force** - If you've encountered an endpoint that is not rate limited, please ensure that the given endpoint is handling sensitive information. If it is, please provide a proof of concept that demonstrates the ability to brute force the endpoint with at least 300 requests.\n\n# Ineligible vulnerability types\n\nThe following vulnerability types are explicitly out of scope for this program and will be closed as `Not Applicable` immediately:\n\n- **Social Engineering** - Any issue that requires social engineering to be exploited, such as phishing, or impersonation of a Shopify employee. This includes contacting the Shopify Support.\n- **Spam / Flooding** - E-Mail flooding, SMS flooding, or any other type of flooding.\n- **Vulnerability Scanner False Positives** - Any issue that is reported by a vulnerability scanner, but is not exploitable by a human.\n- **Enabled GraphQL introspection query** - We highly recommend researchers to utilize it as a valuable resource.\n- Insecure cookie handling for account identifying cookies.\n- Tab nabbing.\n- Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing).\n- CSV / formula injection.\n- Hyperlink injection.\n- Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.\n- Distributed Denial of Service.\n- Content spoofing.\n- Disclosure of server or software version numbers.\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim.\n- Reports related to permitted password strength.\n- Theoretical sub-domain takeovers with no supporting evidence.\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches).\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers.\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit).\n\n## Staff Member Permissions\nShopify has a rich set of granular permissions that we offer in the Shopify admin and the Partners Dashboard. These are documented [here](https://help.shopify.com/en/manual/your-account/staff-accounts/staff-permissions/staff-permissions-descriptions).\n\nThe following are the categories which we consider to have clear CVSS relevance with regards to staff member permissions. If the observed behavior does not fit into these categories, please carefully consider the practical impact of the finding prior to opening a report as it risks being closed as N/A.\n\n- Demonstrates the ability for a staff member to escalate their privileges to one of our _Sensitive Permissions_ (Manage Settings, Manage Payment Settings and Themes).\n  - Valid: Staff member with `orders` permission can perform an action that is normally scoped to `Manage Settings`.\n  - Invalid: Staff member with `Manage Settings` permission can perform an action that is not specifically listed in the public documentation description.\n- Demonstrates a direct financial impact on the Shop (The request made must directly result in the impact).\n  - Valid: Lowering the price of an existing product available on sales channels without the appropriate permission.\n  - Invalid: Adding additional variants of a product at a lower price but without making them available on sales channels.\n- Demonstrates impact on Buyer PII that the staff member isn't already authorized for.\n  - Valid: Staff members having access to read or edit Buyer PII when they aren't authorized to do so.\n  - Invalid: Staff members with the `orders` permission being able read or write basic buyer information.\n\nFor staff permission issues which are not relevant to our bugbounty program, feel free to bring them to the attention of our support team by following the instructions outlined [here](https://github.com/Shopify/bugbounty-resources/blob/master/how_to_report_functional_issues.md).\n\n## Subdomain Takeovers\nReports related to dangling domain records will be evaluated on a case-by-case basis for bounty taking into account several factors, including:\n- The likelihood of a record to be successfully taken over (i.e. can the specific IP that the record points to be readily requisitioned from an owner).\n- The likelihood that traffic would be sent to the specific fully-qualified domain name (FQDN) as part of normal operations.\n- The purpose of the domain if it can be inferred from the record (i.e. test app).\n\nMost of these reports will result in CVSS 0 and, therefore, will be ineligible for a bounty. If you believe you have found a dangling domain record that is likely to be taken over and is likely to receive traffic, please include methodology and evidence in your report.\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-09-22T18:12:33.701Z"},{"id":3703265,"new_policy":"# TL;DR\nAt Shopify, we take merchant trust and safety very seriously. Our maximum bounty of $200,000 reflects that.\n\nTo participate, you must create an account using a `@wearehackerone.com` email address and only test against accounts you create. Before reporting any issues, please review our list of known issues. We encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\n\nWe pay bounties based on CVSS scores using our CVSS Bounty Calculator (https://shopify.github.io/appsec/cvss_calculator/), and we usually award bounties within a week of triage.\n\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n\n\nIf you need further clarification of the rules or scope of our bug bounty program, please don't hesitate to contact us at bugbounty@shopify.com.\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe value all security researchers and expect mutual respect between our team and participants. We strive to:\n- Reply to all reports within one business day and triage within two business days (if applicable).\n- Be as transparent as possible, answering all inquiries about our report decisions and adding hackers to duplicate HackerOne reports.\n- Award bounties within a week of triage (excluding extenuating circumstances).\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types`, or lacks evidence of a vulnerability.\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. All Shopify developed applications are in scope (https://apps.shopify.com/partners/shopify) for this program.\n\nYou should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a response from the developer within one week. If you do so, please include the following information in your report:\n\n- The name of the app\n- The name of the developer\n- The URL of the app\n- The vulnerability you are reporting\n- The steps to reproduce the vulnerability\n- The impact of the vulnerability\n- The severity of the vulnerability\n\nPlease note that Shopify will not pay a bounty for vulnerabilities in third party apps and the report will be closed as \"Informative\".\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed on [the scope page for this program](https://hackerone.com/shopify/policy_scopes). **Valid vulnerabilities on any domain not explicitly listed in scope may be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\n# Typical Bounty Amounts\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact and make a change as a result of the report. Bonuses are determined as a percentage (10% of what the bounty is estimated at for an exploitable issue), with a minimum of $500 and a maximum of $5,000.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity`, and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com, shop.pay, and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, and our mobile applications.\n\n# Google Play Bonus\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Denial of Service\nWe encourage you to report any Denial of Service (DoS) issues you find. However, we only accept DoS issues that are exploitable by a single user with a single request. We explicitly do not accept any kind of DDOS (Distributed Denial of Service) issues. Also, please note that a slow request does **not** constitute an availability impact for our program - if a particular request takes a long time to process, but eventually completes successfully and doesn't cause the service to become unavailable or crash, the availability of the system is not considered to be impacted.\n\nIf you think you have found a DoS issue, please include the following information in your report:\n- The URL of the page that is vulnerable to DoS\n- The X-Request-ID of the HTTP response that causes the DoS\n- The HTTP request that causes the DoS\n- The HTTP response that is returned by the server after the DoS has been triggered\n- The time it takes for the DoS to be triggered\n\n# Known issues\n\nThe following issues or behaviours are by design or otherwise known to Shopify. Submitting a report that falls into this category will result in the report being closed as **Not Applicable**.\n\n**XSS - At Shopify we allow merchants to use HTML in their store descriptions, product descriptions, and other fields. We do not consider this a vulnerability.**\n\nThe following XSS (Cross-Site Scripting) types are explicitly out of scope for this program:\n  - **XSS Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n  - **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n  -  **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n  - **XSS - Shopify Checkout** - Any issue where a store staff member is able to insert javascript in the checkout area of their own store (this includes *.shopifypreview.com).\n  - **XSS - Set Header** -Any issue that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n  - **XSS - Inspect Element/Console** - Any issue that requires the use of the browser's developer tools to execute javascript.\n  - **XSS - Self-XSS** - Any issue without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n\n**CDN - At Shopify we encourage merchants to use our CDN (static.shopify.com, cdn.shopify.com and other storage domains) to host any files they want. We do not consider this a vulnerability because this content runs in a separate context and cannot directly impact our platform.**\n\nThe following CDN (Content Distribution Network) types are explicitly out of scope for this program and will be closed as `Not Applicable`:\n  - **CDN - Arbitrary file upload** - Any issue where a store staff member is able to upload arbitrary files to our CDN.\n  - **CDN - Stored XSS** - Any issue where a store staff member is able to upload arbitrary files to our CDN and execute javascript in the context of a CDN domain. (static.shopify.com and cdn.shopify.com).\n  - **CDN - Sensitive data disclosure** - All files on the Content Delivery Network (cdn.shopify.com) are public by design.\n\n\nThe following CSRF (Cross-Site Request Forgery) types are explicitly out of scope:\n  - CSRF access to modify cart\n  - CSRF for Login or Logout (unless it is chained together with another vulnerability to demonstrate impact)\n\n**Shopify hosted stores - There are a number of commonly reported false positives in Shopify hosted (*.myshopify.com) stores that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n- **Staff access to**:\n  - /admin/settings/shop.json\n  - /admin/settings/account.json\n  - /admin/settings/users.json\n  - /admin/settings/locations.json\n- **Intended Public files**:\n  - payments/config.json\n- **Password reset tokens don’t expire when changing email address**\n- **Email address doesn't require verification on signup**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **User or store name enumeration**\n- **Insecure “Opening Soon” password**\n\n\n**Mobile / PoS - There are a number of commonly reported false positives in the Shopify mobile applications that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n  - **Physical access to the device** Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n  - **Mobile application biometrics bypass**\n  - **Lack of mobile binary protection or SSL pinning**\n  - **Lack of mobile application encryption**\n  - **Issues that can only be exploited on an emulated device**\n  - **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n\n# Potential Ineligible vulnerability types\n\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n- **Open Redirect** - Any issue that allows a user to be redirected to an arbitrary URL without user interaction, unless it is chained together with another vulnerability to demonstrate impact.\n- **SSRF** - There are several places where a SSRF is technically possible, however, a simple HTTP/DNS interaction is not considered a vulnerability by itself. In most cases, these issues will be closed as **Not Applicable**.\n- **Race Conditions** - If you've encountered a race condition, please ensure that it exploitable and would gain an attacker access to sensitive information. The following race conditions would **not** be eligible:\n  - Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- **Rate limiting / Brute force** - If you've encountered an endpoint that is not rate limited, please ensure that the given endpoint is handling sensitive information. If it is, please provide a proof of concept that demonstrates the ability to brute force the endpoint with at least 300 requests.\n\n# Ineligible vulnerability types\n\nThe following vulnerability types are explicitly out of scope for this program and will be closed as `Not Applicable` immediately:\n\n- **Social Engineering** - Any issue that requires social engineering to be exploited, such as phishing, or impersonation of a Shopify employee. This includes contacting the Shopify Support.\n- **Spam / Flooding** - E-Mail flooding, SMS flooding, or any other type of flooding.\n- **Vulnerability Scanner False Positives** - Any issue that is reported by a vulnerability scanner, but is not exploitable by a human.\n- Insecure cookie handling for account identifying cookies.\n- Tab nabbing.\n- Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing).\n- CSV / formula injection.\n- Hyperlink injection.\n- Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.\n- Distributed Denial of Service.\n- Content spoofing.\n- Disclosure of server or software version numbers.\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim.\n- Reports related to permitted password strength.\n- Theoretical sub-domain takeovers with no supporting evidence.\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches).\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers.\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit).\n\n## Staff Member Permissions\nShopify has a rich set of granular permissions that we offer in the Shopify admin and the Partners Dashboard. These are documented [here](https://help.shopify.com/en/manual/your-account/staff-accounts/staff-permissions/staff-permissions-descriptions).\n\nThe following are the categories which we consider to have clear CVSS relevance with regards to staff member permissions. If the observed behavior does not fit into these categories, please carefully consider the practical impact of the finding prior to opening a report as it risks being closed as N/A.\n\n- Demonstrates the ability for a staff member to escalate their privileges to one of our _Sensitive Permissions_ (Manage Settings, Manage Payment Settings and Themes).\n  - Valid: Staff member with `orders` permission can perform an action that is normally scoped to `Manage Settings`.\n  - Invalid: Staff member with `Manage Settings` permission can perform an action that is not specifically listed in the public documentation description.\n- Demonstrates a direct financial impact on the Shop (The request made must directly result in the impact).\n  - Valid: Lowering the price of an existing product available on sales channels without the appropriate permission.\n  - Invalid: Adding additional variants of a product at a lower price but without making them available on sales channels.\n- Demonstrates impact on Buyer PII that the staff member isn't already authorized for.\n  - Valid: Staff members having access to read or edit Buyer PII when they aren't authorized to do so.\n  - Invalid: Staff members with the `orders` permission being able read or write basic buyer information.\n\nFor staff permission issues which are not relevant to our bugbounty program, feel free to bring them to the attention of our support team by following the instructions outlined [here](https://github.com/Shopify/bugbounty-resources/blob/master/how_to_report_functional_issues.md).\n\n## Subdomain Takeovers\nReports related to dangling domain records will be evaluated on a case-by-case basis for bounty taking into account several factors, including:\n- The likelihood of a record to be successfully taken over (i.e. can the specific IP that the record points to be readily requisitioned from an owner).\n- The likelihood that traffic would be sent to the specific fully-qualified domain name (FQDN) as part of normal operations.\n- The purpose of the domain if it can be inferred from the record (i.e. test app).\n\nMost of these reports will result in CVSS 0 and, therefore, will be ineligible for a bounty. If you believe you have found a dangling domain record that is likely to be taken over and is likely to receive traffic, please include methodology and evidence in your report.\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-09-22T17:01:44.591Z"},{"id":3698943,"new_policy":"# TL;DR\nAt Shopify, we take merchant trust and safety very seriously. Our maximum bounty of $200,000 reflects that.\n\nTo participate, you must create an account using a `@wearehackerone.com` email address and only test against accounts you create. Before reporting any issues, please review our list of known issues. We encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\n\nWe pay bounties based on CVSS scores using our CVSS Bounty Calculator (https://shopify.github.io/appsec/cvss_calculator/), and we usually award bounties within a week of triage.\n\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n\n\nIf you need further clarification of the rules or scope of our bug bounty program, please don't hesitate to contact us at bugbounty@shopify.com.\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe value all security researchers and expect mutual respect between our team and participants. We strive to:\n- Reply to all reports within one business day and triage within two business days (if applicable).\n- Be as transparent as possible, answering all inquiries about our report decisions and adding hackers to duplicate HackerOne reports.\n- Award bounties within a week of triage (excluding extenuating circumstances).\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types`, or lacks evidence of a vulnerability.\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. All Shopify developed applications are in scope (https://apps.shopify.com/partners/shopify) for this program.\n\nYou should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a response from the developer within one week. If you do so, please include the following information in your report:\n\n- The name of the app\n- The name of the developer\n- The URL of the app\n- The vulnerability you are reporting\n- The steps to reproduce the vulnerability\n- The impact of the vulnerability\n- The severity of the vulnerability\n\nPlease note that Shopify will not pay a bounty for vulnerabilities in third party apps and the report will be closed as \"Informative\".\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed on [the scope page for this program](https://hackerone.com/shopify/policy_scopes). **Valid vulnerabilities on any domain not explicitly listed in scope may be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\n# Typical Bounty Amounts\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact and make a change as a result of the report. Bonuses are determined as a percentage (10% of what the bounty is estimated at for an exploitable issue), with a minimum of $500 and a maximum of $5,000.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity`, and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com, shop.pay, and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, and our mobile applications.\n\n# Google Play Bonus\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Denial of Service\nWe encourage you to report any Denial of Service (DoS) issues you find. However, we only accept DoS issues that are exploitable by a single user with a single request. We explicitly do not accept any kind of DDOS (Distributed Denial of Service) issues.\n\nIf you think you have found a DoS issue, please include the following information in your report:\n- The URL of the page that is vulnerable to DoS\n- The X-Request-ID of the HTTP response that causes the DoS\n- The HTTP request that causes the DoS\n- The HTTP response that is returned by the server after the DoS has been triggered\n- The time it takes for the DoS to be triggered\n\n# Known issues\n\nThe following issues or behaviours are by design or otherwise known to Shopify. Submitting a report that falls into this category will result in the report being closed as **Not Applicable**.\n\n**XSS - At Shopify we allow merchants to use HTML in their store descriptions, product descriptions, and other fields. We do not consider this a vulnerability.**\n\nThe following XSS (Cross-Site Scripting) types are explicitly out of scope for this program:\n  - **XSS Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n  - **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n  -  **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n  - **XSS - Shopify Checkout** - Any issue where a store staff member is able to insert javascript in the checkout area of their own store (this includes *.shopifypreview.com).\n  - **XSS - Set Header** -Any issue that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n  - **XSS - Inspect Element/Console** - Any issue that requires the use of the browser's developer tools to execute javascript.\n  - **XSS - Self-XSS** - Any issue without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n\n**CDN - At Shopify we encourage merchants to use our CDN (static.shopify.com, cdn.shopify.com and other storage domains) to host any files they want. We do not consider this a vulnerability because this content runs in a separate context and cannot directly impact our platform.**\n\nThe following CDN (Content Distribution Network) types are explicitly out of scope for this program and will be closed as `Not Applicable`:\n  - **CDN - Arbitrary file upload** - Any issue where a store staff member is able to upload arbitrary files to our CDN.\n  - **CDN - Stored XSS** - Any issue where a store staff member is able to upload arbitrary files to our CDN and execute javascript in the context of a CDN domain. (static.shopify.com and cdn.shopify.com).\n  - **CDN - Sensitive data disclosure** - All files on the Content Delivery Network (cdn.shopify.com) are public by design.\n\n\nThe following CSRF (Cross-Site Request Forgery) types are explicitly out of scope:\n  - CSRF access to modify cart\n  - CSRF for Login or Logout (unless it is chained together with another vulnerability to demonstrate impact)\n\n**Shopify hosted stores - There are a number of commonly reported false positives in Shopify hosted (*.myshopify.com) stores that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n- **Staff access to**:\n  - /admin/settings/shop.json\n  - /admin/settings/account.json\n  - /admin/settings/users.json\n  - /admin/settings/locations.json\n- **Intended Public files**:\n  - payments/config.json\n- **Password reset tokens don’t expire when changing email address**\n- **Email address doesn't require verification on signup**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **User or store name enumeration**\n- **Insecure “Opening Soon” password**\n\n\n**Mobile / PoS - There are a number of commonly reported false positives in the Shopify mobile applications that are not considered vulnerabilities.**\n\nThe following vulnerability types will be closed as `Not Applicable`:\n  - **Physical access to the device** Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n  - **Mobile application biometrics bypass**\n  - **Lack of mobile binary protection or SSL pinning**\n  - **Lack of mobile application encryption**\n  - **Issues that can only be exploited on an emulated device**\n  - **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n\n# Potential Ineligible vulnerability types\n\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n- **Open Redirect** - Any issue that allows a user to be redirected to an arbitrary URL without user interaction, unless it is chained together with another vulnerability to demonstrate impact.\n- **SSRF** - There are several places where a SSRF is technically possible, however, a simple HTTP/DNS interaction is not considered a vulnerability by itself. In most cases, these issues will be closed as **Not Applicable**.\n- **Race Conditions** - If you've encountered a race condition, please ensure that it exploitable and would gain an attacker access to sensitive information. The following race conditions would **not** be eligible:\n  - Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- **Rate limiting / Brute force** - If you've encountered an endpoint that is not rate limited, please ensure that the given endpoint is handling sensitive information. If it is, please provide a proof of concept that demonstrates the ability to brute force the endpoint with at least 300 requests.\n\n# Ineligible vulnerability types\n\nThe following vulnerability types are explicitly out of scope for this program and will be closed as `Not Applicable` immediately:\n\n- **Social Engineering** - Any issue that requires social engineering to be exploited, such as phishing, or impersonation of a Shopify employee. This includes contacting the Shopify Support.\n- **Spam / Flooding** - E-Mail flooding, SMS flooding, or any other type of flooding.\n- **Vulnerability Scanner False Positives** - Any issue that is reported by a vulnerability scanner, but is not exploitable by a human.\n- Insecure cookie handling for account identifying cookies.\n- Tab nabbing.\n- Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing).\n- CSV / formula injection.\n- Hyperlink injection.\n- Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.\n- Distributed Denial of Service.\n- Content spoofing.\n- Disclosure of server or software version numbers.\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim.\n- Reports related to permitted password strength.\n- Theoretical sub-domain takeovers with no supporting evidence.\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches).\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers.\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit).\n\n## Staff Member Permissions\nShopify has a rich set of granular permissions that we offer in the Shopify admin and the Partners Dashboard. These are documented [here](https://help.shopify.com/en/manual/your-account/staff-accounts/staff-permissions/staff-permissions-descriptions).\n\nThe following are the categories which we consider to have clear CVSS relevance with regards to staff member permissions. If the observed behavior does not fit into these categories, please carefully consider the practical impact of the finding prior to opening a report as it risks being closed as N/A.\n\n- Demonstrates the ability for a staff member to escalate their privileges to one of our _Sensitive Permissions_ (Manage Settings, Manage Payment Settings and Themes).\n  - Valid: Staff member with `orders` permission can perform an action that is normally scoped to `Manage Settings`.\n  - Invalid: Staff member with `Manage Settings` permission can perform an action that is not specifically listed in the public documentation description.\n- Demonstrates a direct financial impact on the Shop (The request made must directly result in the impact).\n  - Valid: Lowering the price of an existing product available on sales channels without the appropriate permission.\n  - Invalid: Adding additional variants of a product at a lower price but without making them available on sales channels.\n- Demonstrates impact on Buyer PII that the staff member isn't already authorized for.\n  - Valid: Staff members having access to read or edit Buyer PII when they aren't authorized to do so.\n  - Invalid: Staff members with the `orders` permission being able read or write basic buyer information.\n\nFor staff permission issues which are not relevant to our bugbounty program, feel free to bring them to the attention of our support team by following the instructions outlined [here](https://github.com/Shopify/bugbounty-resources/blob/master/how_to_report_functional_issues.md).\n\n## Subdomain Takeovers\nReports related to dangling domain records will be evaluated on a case-by-case basis for bounty taking into account several factors, including:\n- The likelihood of a record to be successfully taken over (i.e. can the specific IP that the record points to be readily requisitioned from an owner).\n- The likelihood that traffic would be sent to the specific fully-qualified domain name (FQDN) as part of normal operations.\n- The purpose of the domain if it can be inferred from the record (i.e. test app).\n\nMost of these reports will result in CVSS 0 and, therefore, will be ineligible for a bounty. If you believe you have found a dangling domain record that is likely to be taken over and is likely to receive traffic, please include methodology and evidence in your report.\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-07-25T14:24:40.878Z"},{"id":3690121,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $200,000 reflects that.\n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nWe pay our bounties based on CVSS scores using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/).\n\nHappy Hacking!\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of triage (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n- If a duplicate report demonstrates a higher CVSS (e.g., a proof of concept with `PR:N` required versus `PR:L` on the original report), we re-calculate the CVSS and pay the bounty difference to the duplicate reporter.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts\n\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact, and make a change as a result of the report. Bonuses are determined as a percentage (10% of what the bounty is estimated at for an exploitable issue), with a minimum of $500 and maximum of $5,000.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity` and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/shop.json with no permissions (also applies to account.json, users.json and locations.json)** - These endpoints are intentionally available to all staff.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Email address doesn't require verification on signup**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n- **Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.**\n- **User permission issues in Stocky**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim\n- Reports related to permitted password strength\n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n- Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches)\n- Open Redirects without demonstrating additional security impact (such as stealing auth tokens)\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Staff Member Permissions\nShopify has a rich set of granular permissions that we offer in the Shopify admin and the Partners Dashboard. These are documented [here](https://help.shopify.com/en/manual/your-account/staff-accounts/staff-permissions/staff-permissions-descriptions).\n\nThe following are the categories which we consider to have clear CVSS relevance with regards to staff member permissions. If the observed behavior does not fit into these categories, please carefully consider the practical impact of the finding prior to opening a report as it risks being closed as N/A.\n\n- Demonstrates the ability for a staff member to escalate their privileges to one of our _Sensitive Permissions_ (Manage Settings, Manage Payment Settings and Themes)\n  - Valid: Staff member with `orders` permission can perform an action that is normally scoped to `Manage Settings`.\n  - Invalid: Staff member with `Manage Settings` permission can perform an action that is not specifically listed in the public documentation description.\n- Demonstrates a direct financial impact on the Shop. (The request made must directly result in the impact.)\n  - Valid: Lowering the price of an existing product available on sales channels without the appropriate permission.\n  - Invalid: Adding additional variants of a product at a lower price but without making them available on sales channels.\n- Demonstrates impact on Buyer PII that the staff member isn't already authorized for.\n  - Valid: Staff members having access to read or edit Buyer PII when they aren't authorized to do so.\n  - Invalid: Staff members with the `orders` permission being able read or write basic buyer information.\n\nFor staff permission issues which are not relevant to our bugbounty program, feel free to bring them to the attention of our support team by following the instructions outlined [here](https://github.com/Shopify/bugbounty-resources/blob/master/how_to_report_functional_issues.md).\n\n## Subdomain Takeovers\nReports related to dangling domain records will be evaluated on a case-by-case basis for bounty taking into account several factors, including:\n- The likelihood of a record to be successfully taken over (i.e. can the specific IP that the record points to be readily requisitioned from an owner)\n- The likelihood that traffic would be sent to the specific fully-qualified domain name (FQDN) as part of normal operations\n- The purpose of the domain if it can be inferred from the record (i.e. test app)\n\nMost of these reports will result in CVSS 0 and, therefore, will be ineligible for a bounty. If you believe you have found a dangling domain record that is likely to be taken over and is likely to receive traffic, please include methodology and evidence in your report.\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-06-28T22:52:30.497Z"},{"id":3689404,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $200,000 reflects that.\n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nWe pay our bounties based on CVSS scores using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/).\n\nHappy Hacking!\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of triage (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n- If a duplicate report demonstrates a higher CVSS (e.g., a proof of concept with `PR:N` required versus `PR:L` on the original report), we re-calculate the CVSS and pay the bounty difference to the duplicate reporter.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts\n\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact, and make a change as a result of the report. Bonuses are determined as a percentage (10% of what the bounty is estimated at for an exploitable issue), with a minimum of $500 and maximum of $5,000.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity` and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/shop.json with no permissions (also applies to account.json, users.json and locations.json)** - These endpoints are intentionally available to all staff.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Email address doesn't require verification on signup**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n- **Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.**\n- **User permission issues in Stocky**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim\n- Reports related to permitted password strength\n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n- Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches)\n- Open Redirects without demonstrating additional security impact (such as stealing auth tokens)\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Staff Member Permissions\nShopify has a rich set of granular permissions that we offer in the Shopify admin and the Partners Dashboard. These are documented [here](https://help.shopify.com/en/manual/your-account/staff-accounts/staff-permissions/staff-permissions-descriptions).\n\nThe following are the categories which we consider to have clear CVSS relevance with regards to staff member permissions. If the observed behavior does not fit into these categories, please carefully consider the practical impact of the finding prior to opening a report as it risks being closed as N/A.\n\n- Demonstrates the ability for a staff member to escalate their privileges to one of our _Sensitive Permissions_ (Manage Settings, Manage Payment Settings and Themes)\n  - Valid: Staff member with `orders` permission can perform an action that is normally scoped to `Manage Settings`.\n  - Invalid: Staff member with `Manage Settings` permission can perform an action that is not specifically listed in the public documentation description.\n- Demonstrates a direct financial impact on the Shop. (The request made must directly result in the impact.)\n  - Valid: Lowering the price of an existing product available on sales channels without the appropriate permission.\n  - Invalid: Adding additional variants of a product at a lower price but without making them available on sales channels.\n- Demonstrates impact on Buyer PII that the staff member isn't already authorized for.\n  - Valid: Staff members having access to read or edit Buyer PII when they aren't authorized to do so.\n  - Invalid: Staff members with the `orders` permission being able read or write basic buyer information.\n\nFor staff permission issues which are not relevant to our bugbounty program, feel free to bring them to the attention of our support team by following the instructions outlined [here](https://github.com/Shopify/bugbounty-resources/blob/master/how_to_report_functional_issues.md).\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-06-15T14:48:48.900Z"},{"id":3689012,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $200,000 reflects that.\n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nWe pay our bounties based on CVSS scores using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/).\n\nHappy Hacking!\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of triage (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n- If a duplicate report demonstrates a higher CVSS (e.g., a proof of concept with `PR:N` required versus `PR:L` on the original report), we re-calculate the CVSS and pay the bounty difference to the duplicate reporter.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/bugbounty.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts\n\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact, and make a change as a result of the report.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity` and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/shop.json with no permissions (also applies to account.json, users.json and locations.json)** - These endpoints are intentionally available to all staff.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Email address doesn't require verification on signup**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n- **Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.**\n- **User permission issues in Stocky**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim\n- Reports related to permitted password strength\n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n- Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches)\n- Open Redirects without demonstrating additional security impact (such as stealing auth tokens)\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Staff Member Permissions \nShopify has a rich set of granular permissions that we offer in the Shopify admin and the Partners Dashboard. These are documented [here](https://help.shopify.com/en/manual/your-account/staff-accounts/staff-permissions/staff-permissions-descriptions).\n\nThe following are the categories which we consider to have clear CVSS relevance with regards to staff member permissions. If the observed behavior does not fit into these categories, please carefully consider the practical impact of the finding prior to opening a report as it risks being closed as N/A.\n\n- Demonstrates the ability for a staff member to escalate their privileges to one of our _Sensitive Permissions_ (Manage Settings, Manage Payment Settings and Themes)\n  - Valid: Staff member with `orders` permission can perform an action that is normally scoped to `Manage Settings`.\n  - Invalid: Staff member with `Manage Settings` permission can perform an action that is not specifically listed in the public documentation description.\n- Demonstrates a direct financial impact on the Shop. (The request made must directly result in the impact.) \n  - Valid: Lowering the price of an existing product available on sales channels without the appropriate permission.\n  - Invalid: Adding additional variants of a product at a lower price but without making them available on sales channels.\n- Demonstrates impact on Buyer PII that the staff member isn't already authorized for.\n  - Valid: Staff members having access to read or edit Buyer PII when they aren't authorized to do so.\n  - Invalid: Staff members with the `orders` permission being able read or write basic buyer information.\n\nFor staff permission issues which are not relevant to our bugbounty program, feel free to bring them to the attention of our support team by following the instructions outlined [here](https://github.com/Shopify/bugbounty-resources/blob/master/how_to_report_functional_issues.md).\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-06-07T14:58:12.328Z"},{"id":3688482,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $200,000 reflects that.\n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nWe pay our bounties based on CVSS scores using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/).\n\nHappy Hacking!\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of triage (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n- If a duplicate report demonstrates a higher CVSS (e.g., a proof of concept with `PR:N` required versus `PR:L` on the original report), we re-calculate the CVSS and pay the bounty difference to the duplicate reporter.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts\n\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact, and make a change as a result of the report.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity` and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/shop.json with no permissions (also applies to account.json, users.json and locations.json)** - These endpoints are intentionally available to all staff.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Email address doesn't require verification on signup**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n- **Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.**\n- **User permission issues in Stocky**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim\n- Reports related to permitted password strength\n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n- Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches)\n- Open Redirects without demonstrating additional security impact (such as stealing auth tokens)\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Staff Member Permissions \nShopify has a rich set of granular permissions that we offer in the Shopify admin and the Partners Dashboard. These are documented [here](https://help.shopify.com/en/manual/your-account/staff-accounts/staff-permissions/staff-permissions-descriptions).\n\nThe following are the categories which we consider to have clear CVSS relevance with regards to staff member permissions. If the observed behavior does not fit into these categories, please carefully consider the practical impact of the finding prior to opening a report as it risks being closed as N/A.\n\n- Demonstrates the ability for a staff member to escalate their privileges to one of our _Sensitive Permissions_ (Manage Settings, Manage Payment Settings and Themes)\n  - Valid: Staff member with `orders` permission can perform an action that is normally scoped to `Manage Settings`.\n  - Invalid: Staff member with `Manage Settings` permission can perform an action that is not specifically listed in the public documentation description.\n- Demonstrates a direct financial impact on the Shop. (The request made must directly result in the impact.) \n  - Valid: Lowering the price of an existing product available on sales channels without the appropriate permission.\n  - Invalid: Adding additional variants of a product at a lower price but without making them available on sales channels.\n- Demonstrates impact on Buyer PII that the staff member isn't already authorized for.\n  - Valid: Staff members having access to read or edit Buyer PII when they aren't authorized to do so.\n  - Invalid: Staff members with the `orders` permission being able read or write basic buyer information.\n\nFor staff permission issues which are not relevant to our bugbounty program, feel free to bring them to the attention of our support team by following the instructions outlined [here](https://github.com/Shopify/bugbounty-resources/blob/master/how_to_report_functional_issues.md).\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-06-01T19:57:31.791Z"},{"id":3688457,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $200,000 reflects that.\n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nWe pay our bounties based on CVSS scores using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/).\n\nHappy Hacking!\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of triage (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n- If a duplicate report demonstrates a higher CVSS (e.g., a proof of concept with `PR:N` required versus `PR:L` on the original report), we re-calculate the CVSS and pay the bounty difference to the duplicate reporter.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts\n\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact, and make a change as a result of the report.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity` and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/shop.json with no permissions (also applies to account.json, users.json and locations.json)** - These endpoints are intentionally available to all staff.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Email address doesn't require verification on signup**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n- **Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.**\n- **User permission issues in Stocky**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim\n- Reports related to permitted password strength\n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n- Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches)\n- Open Redirects without demonstrating additional security impact (such as stealing auth tokens)\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Staff Member Permissions \nShopify has a rich set of granular permissions that we offer in the Shopify admin and the Partners Dashboard. These are documented [here](https://help.shopify.com/en/manual/your-account/staff-accounts/staff-permissions/staff-permissions-descriptions).\n\nThe following are the categories which we consider to have clear CVSS relevance with regards to staff member permissions. If the observed behavior does not fit into these categories, please carefully consider the practical impact of the finding prior to opening a report as it risks being closed as N/A.\n\n- Demonstrates the ability for a staff member to escalate their privileges to one of our _Sensitive Permissions_ (Manage Settings, Manage Payment Settings and Themes)\n  - Good: Staff member with `orders` permission can perform an action that is normally scoped to `Manage Settings`.\n  - Bad: Staff member with `Manage Settings` permission can perform an action that is not specifically listed in the public documentation description.\n- Demonstrates a direct financial impact on the Shop. (The request made must directly result in the impact.) \n  - Good: Lowering the price of an existing product available on sales channels without the appropriate permission.\n  - Bad: Adding additional variants of a product at a lower price but without making them available on sales channels.\n- Demonstrates impact on Buyer PII that the staff member isn't already authorized for.\n  - Good: Staff members having access to read or edit Buyer PII when they aren't authorized to do so.\n  - Bad: Staff members with the `orders` permission being able read or write basic buyer information.\n\nFor staff permission issues which are not relevant to our bugbounty program, feel free to bring them to the attention of our support team by following the instructions outlined [here](https://github.com/Shopify/bugbounty-resources/blob/master/how_to_report_functional_issues.md).\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-06-01T15:01:14.547Z"},{"id":3686640,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $200,000 reflects that.\n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nWe pay our bounties based on CVSS scores using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/).\n\nHappy Hacking!\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of triage (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n- If a duplicate report demonstrates a higher CVSS (e.g., a proof of concept with `PR:N` required versus `PR:L` on the original report), we re-calculate the CVSS and pay the bounty difference to the duplicate reporter.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts\n\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact, and make a change as a result of the report.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity` and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/shop.json with no permissions (also applies to account.json, users.json and locations.json)** - These endpoints are intentionally available to all staff.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Email address doesn't require verification on signup**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n- **Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.**\n- **User permission issues in Stocky**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim\n- Reports related to permitted password strength\n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n- Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches)\n- Open Redirects without demonstrating additional security impact (such as stealing auth tokens)\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-04-27T16:00:08.632Z"},{"id":3685042,"new_policy":"📣 Announcement\n=====================\nExpect delays through April 10th\n---------------------\n\nWe are receiving a higher volume of reports than is typical.  Please expect longer than usual response times for triage, comments, resolution, and disclosure requests.\nThanks for your patience \u0026 Happy Hacking!\n\n \n \n\n \n \n# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $200,000 reflects that.\n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nWe pay our bounties based on CVSS scores using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/).\n\nHappy Hacking!\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of triage (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n- If a duplicate report demonstrates a higher CVSS (e.g., a proof of concept with `PR:N` required versus `PR:L` on the original report), we re-calculate the CVSS and pay the bounty difference to the duplicate reporter.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts\n\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact, and make a change as a result of the report.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity` and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/shop.json with no permissions (also applies to account.json, users.json and locations.json)** - These endpoints are intentionally available to all staff.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Email address doesn't require verification on signup**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n- **Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.**\n- **User permission issues in Stocky**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim\n- Reports related to permitted password strength\n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n- Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches)\n- Open Redirects without demonstrating additional security impact (such as stealing auth tokens)\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-20T14:05:59.675Z"},{"id":3682846,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $200,000 reflects that.\n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nWe pay our bounties based on CVSS scores using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/).\n\nHappy Hacking!\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of triage (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n- If a duplicate report demonstrates a higher CVSS (e.g., a proof of concept with `PR:N` required versus `PR:L` on the original report), we re-calculate the CVSS and pay the bounty difference to the duplicate reporter.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts\n\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact, and make a change as a result of the report.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity` and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the [Blogs](https://help.shopify.com/en/manual/online-store/blogs/adding-a-blog#add-a-blog) and [Pages](https://help.shopify.com/en/manual/online-store/themes/theme-structure/pages#add-a-new-webpage-to-your-online-store) section of the Shopify admin.\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/shop.json with no permissions (also applies to account.json, users.json and locations.json)** - These endpoints are intentionally available to all staff.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Email address doesn't require verification on signup**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n- **Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.**\n- **User permission issues in Stocky**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim\n- Reports related to permitted password strength\n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n- Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches)\n- Open Redirects without demonstrating additional security impact (such as stealing auth tokens)\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-02-01T14:04:57.610Z"},{"id":3682107,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $100,000 reflects that.\n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nWe pay our bounties based on CVSS scores using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/).\n\nHappy Hacking!\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of triage (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n- If a duplicate report demonstrates a higher CVSS (e.g., a proof of concept with `PR:N` required versus `PR:L` on the original report), we re-calculate the CVSS and pay the bounty difference to the duplicate reporter.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts\n\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact, and make a change as a result of the report.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity` and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the Blogs and Pages section of the Shopify admin.\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/shop.json with no permissions (also applies to account.json, users.json and locations.json)** - These endpoints are intentionally available to all staff.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n- **Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.**\n- **User permission issues in Stocky**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim\n- Reports related to permitted password strength\n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n- Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches)\n- Open Redirects without demonstrating additional security impact (such as stealing auth tokens)\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-01-17T17:03:13.936Z"},{"id":3681482,"new_policy":"📣 Announcement\n=====================\nExpect delays from December 22nd through January 16th\n=====================\n\nWhile our team members celebrate the holiday season, we anticipate longer than usual response times for triage, comments, resolution, and disclosure requests.\n\nWe appreciate your patience and look forward to working with you more in 2023!\n**Happy Holidays!**\n󠀠\n\n# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $100,000 reflects that.\n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nWe pay our bounties based on CVSS scores using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/).\n\nHappy Hacking!\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of triage (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n- If a duplicate report demonstrates a higher CVSS (e.g., a proof of concept with `PR:N` required versus `PR:L` on the original report), we re-calculate the CVSS and pay the bounty difference to the duplicate reporter.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts\n\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact, and make a change as a result of the report.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity` and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the Blogs and Pages section of the Shopify admin.\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/shop.json with no permissions (also applies to account.json, users.json and locations.json)** - These endpoints are intentionally available to all staff.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n- **Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.**\n- **User permission issues in Stocky**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim\n- Reports related to permitted password strength\n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n- Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches)\n- Open Redirects without demonstrating additional security impact (such as stealing auth tokens)\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-12-21T22:59:58.546Z"},{"id":3675325,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $100,000 reflects that.\n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nWe pay our bounties based on CVSS scores using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/).\n\nHappy Hacking!\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of triage (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n- If a duplicate report demonstrates a higher CVSS (e.g., a proof of concept with `PR:N` required versus `PR:L` on the original report), we re-calculate the CVSS and pay the bounty difference to the duplicate reporter.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Third Party Apps\nVulnerabilities found in Shopify third party apps (https://apps.shopify.com/) should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts\n\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact, and make a change as a result of the report.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity` and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the Blogs and Pages section of the Shopify admin.\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/shop.json with no permissions (also applies to account.json, users.json and locations.json)** - These endpoints are intentionally available to all staff.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n- **Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.**\n- **User permission issues in Stocky**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim\n- Reports related to permitted password strength\n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n- Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches)\n- Open Redirects without demonstrating additional security impact (such as stealing auth tokens)\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-07-27T20:15:38.946Z"},{"id":3668380,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $100,000 reflects that.\n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nWe pay our bounties based on CVSS scores using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/).\n\nHappy Hacking!\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of triage (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n- If a duplicate report demonstrates a higher CVSS (e.g., a proof of concept with `PR:N` required versus `PR:L` on the original report), we re-calculate the CVSS and pay the bounty difference to the duplicate reporter.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts\n\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact, and make a change as a result of the report.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity` and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the Blogs and Pages section of the Shopify admin.\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/shop.json with no permissions (also applies to account.json, users.json and locations.json)** - These endpoints are intentionally available to all staff.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n- **Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.**\n- **User permission issues in Stocky**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim\n- Reports related to permitted password strength\n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n- Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches)\n- Open Redirects without demonstrating additional security impact (such as stealing auth tokens)\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-03-22T20:12:29.077Z"},{"id":3666977,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $50,000 reflects that.\n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nWe pay our bounties based on CVSS scores using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/).\n\nHappy Hacking!\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of triage (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n- If a duplicate report demonstrates a higher CVSS (e.g., a proof of concept with `PR:N` required versus `PR:L` on the original report), we re-calculate the CVSS and pay the bounty difference to the duplicate reporter.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts\n\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact, and make a change as a result of the report.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity` and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store (this includes *.shopifypreview.com).\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the Blogs and Pages section of the Shopify admin.\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/shop.json with no permissions (also applies to account.json, users.json and locations.json)** - These endpoints are intentionally available to all staff.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n- **Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.**\n- **User permission issues in Stocky**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim\n- Reports related to permitted password strength\n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n- Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches)\n- Open Redirects without demonstrating additional security impact (such as stealing auth tokens)\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-23T21:49:32.971Z"},{"id":3657949,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $50,000 reflects that.\n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nWe pay our bounties based on CVSS scores using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/).\n\nHappy Hacking!\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of triage (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n- If a duplicate report demonstrates a higher CVSS (e.g., a proof of concept with `PR:N` required versus `PR:L` on the original report), we re-calculate the CVSS and pay the bounty difference to the duplicate reporter.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts\n\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact, and make a change as a result of the report.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity` and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store, including the checkout pages and *.shopifypreview.com.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the Blogs and Pages section of the Shopify admin.\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/shop.json with no permissions (also applies to account.json, users.json and locations.json)** - These endpoints are intentionally available to all staff.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n- **Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.**\n- **User permission issues in Stocky**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim\n- Reports related to permitted password strength\n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n- Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches)\n- Open Redirects without demonstrating additional security impact (such as stealing auth tokens)\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-07T14:03:30.614Z"},{"id":3657416,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $50,000 reflects that.\n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nWe pay our bounties based on CVSS scores using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/).\n\nHappy Hacking!\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of triage (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n- If a duplicate report demonstrates a higher CVSS (e.g., a proof of concept with `PR:N` required versus `PR:L` on the original report), we re-calculate the CVSS and pay the bounty difference to the duplicate reporter.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts\n\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only triage and reward vulnerabilities with a CVSS score greater than 0**. A CVSS score under 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we may choose to accept and award a bonus for an issue with a CVSS 0 when we see a high potential for future security impact, and make a change as a result of the report.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity` and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store, including the checkout pages and *.shopifypreview.com.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the Blogs and Pages section of the Shopify admin.\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/shop.json with no permissions (also applies to account.json, users.json and locations.json)** - These endpoints are intentionally available to all staff.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Staff members with \"Edit Permissions\" removing permissions they do not have themselves**\n- **Bruteforcing Point of Sale PINs. These are intentionally short and meant to protect terminals from being accessed in physical locations.**\n- **Bypassing Packing Slip HTML sanitization checks to make external HTTP requests.**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim\n- Reports related to permitted password strength\n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n- Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches)\n- Open Redirects without demonstrating additional security impact (such as stealing auth tokens)\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-08-25T18:59:17.986Z"},{"id":3653633,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $50,000 reflects that.\n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nWe pay our bounties based on CVSS scores using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/).\n\nHappy Hacking!\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of triage (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts\n\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only** reward vulnerabilities with a CVSS score greater than 0. A CVSS score between 0 and 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we will award a bonus for an issue with a CVSS 0. This is typically only done when we see a high potential for future security impact, and make a change as a result of the report.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity` and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the Blogs and Pages section of the Shopify admin.\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/shop.json with no permissions (also applies to account.json, users.json and locations.json)** - These endpoints are intentionally available to all staff.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n- **Lack of domain verification when adding a custom domain to your shop.**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim\n- Reports related to permitted password strength\n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n- Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches)\n- Open Redirects without demonstrating additional security impact (such as stealing auth tokens)\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-06-18T16:28:47.286Z"},{"id":3652069,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $50,000 reflects that.\n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nWe pay our bounties based on CVSS scores using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/).\n\nHappy Hacking!\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of triage (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts\n\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only** reward vulnerabilities with a CVSS score greater than 0. A CVSS score between 0 and 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we will award a bonus for an issue with a CVSS 0. This is typically only done when we see a high potential for future security impact, and make a change as a result of the report.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity` and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/shop.json with no permissions (also applies to account.json, users.json and locations.json)** - These endpoints are intentionally available to all staff.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n- **Lack of domain verification when adding a custom domain to your shop.**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim\n- Reports related to permitted password strength\n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n- Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches)\n- Open Redirects without demonstrating additional security impact (such as stealing auth tokens)\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-05-07T20:54:45.119Z"},{"id":3651115,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $50,000 reflects that.\n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nWe pay our bounties based on CVSS scores using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/).\n\nHappy Hacking!\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of triage (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts\n\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only** reward vulnerabilities with a CVSS score greater than 0. A CVSS score between 0 and 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we will award a bonus for an issue with a CVSS 0. This is typically only done when we see a high potential for future security impact, and make a change as a result of the report.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity` and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the Legal settings, Blogs section, and Pages section of the Shopify admin.\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/shop.json with no permissions (also applies to account.json, users.json and locations.json)** - These endpoints are intentionally available to all staff.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n- **Lack of domain verification when adding a custom domain to your shop.**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim\n- Reports related to permitted password strength\n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n- Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)\n- Perceived permission issues without impact on the integrity or confidentiality of data (ex. changing admin view settings, such as saved searches)\n- Open Redirects without demonstrating additional security impact (such as stealing auth tokens)\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-04-14T12:46:59.714Z"},{"id":3650949,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $50,000 reflects that.\n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nWe pay our bounties based on CVSS scores using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/).\n\nHappy Hacking!\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of triage (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts\n\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only** reward vulnerabilities with a CVSS score greater than 0. A CVSS score between 0 and 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we will award a bonus for an issue with a CVSS 0. This is typically only done when we see a high potential for future security impact, and make a change as a result of the report.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity` and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store staff member is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the Legal settings, Blogs section, and Pages section of the Shopify admin.\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store staff member is able to upload arbitrary files to our CDN.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/shop.json with no permissions (also applies to account.json, users.json and locations.json)** - These endpoints are intentionally available to all staff.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim\n- Reports related to permitted password strength\n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-04-08T17:33:13.640Z"},{"id":3650290,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $50,000 reflects that.\n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nWe pay our bounties based on CVSS scores using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/).\n\nHappy Hacking!\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of triage (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts\n\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only** reward vulnerabilities with a CVSS score greater than 0. A CVSS score between 0 and 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we will award a bonus for an issue with a CVSS 0. This is typically only done when we see a high potential for future security impact, and make a change as a result of the report.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity` and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the Legal settings, Blogs section, and Pages section of the Shopify admin.\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/shop.json with no permissions (also applies to account.json, users.json and locations.json)** - These endpoints are intentionally available to all staff.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n- **Lack of domain verification when adding a custom domain to your shop.**\n- **Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim\n- Reports related to permitted password strength\n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-24T14:44:22.629Z"},{"id":3649996,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $50,000 reflects that.\n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nWe pay our bounties based on CVSS scores using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/).\n\nHappy Hacking!\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of triage (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts\n\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only** reward vulnerabilities with a CVSS score greater than 0. A CVSS score between 0 and 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. In rare cases, we will award a bonus for an issue with a CVSS 0. This is typically only done when we see a high potential for future security impact, and make a change as a result of the report.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity` and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the Legal settings, Blogs section, and Pages section of the Shopify admin.\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/shop.json with no permissions (also applies to account.json, users.json and locations.json)** - These endpoints are intentionally available to all staff.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n- **Lack of domain verification when adding a custom domain to your shop.**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim\n- Reports related to permitted password strength\n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-17T19:56:05.857Z"},{"id":3649714,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $50,000 reflects that.\n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nWe pay our bounties based on CVSS scores using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/).\n\nHappy Hacking!\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of triage (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat.\n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts\n\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only** reward vulnerabilities with a CVSS score greater than 0. A CVSS score between 0 and 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator.\n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity` and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the Legal settings, Blogs section, and Pages section of the Shopify admin.\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/shop.json with no permissions (also applies to account.json, users.json and locations.json)** - These endpoints are intentionally available to all staff.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n- **Lack of domain verification when adding a custom domain to your shop.**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Email flooding\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim\n- Reports related to permitted password strength\n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Self-XSS without a reasonable attack scenario. In general, we accept these reports when there are a maximum of two steps required. For example, pasting a malicious payload into an editor and then clicking to preview it would be two steps.\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License.\n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-08T18:58:08.785Z"},{"id":3649599,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $50,000 reflects that. \n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nWe pay our bounties based on CVSS scores using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/).\n\nHappy Hacking!\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of resolution (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat. \n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts \n\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only** reward vulnerabilities with a CVSS score greater than 0. A CVSS score between 0 and 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. \n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity` and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues \n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the Legal settings, Blogs section, and Pages section of the Shopify admin.\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/account.json with no permissions** - Information available on this endpoint is intentionally available to all staff regardless of assigned permissions.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n- **Lack of domain verification when adding a custom domain to your shop.**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim \n- Reports related to permitted password strength \n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n- Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License. \n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-05T01:03:17.554Z"},{"id":3646340,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $50,000 reflects that. \n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nWe pay our bounties based on CVSS scores using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/).\n\nHappy Hacking!\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of resolution (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat. \n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts \n\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only** reward vulnerabilities with a CVSS score greater than 0. A CVSS score between 0 and 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. \n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity` and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues \n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the Legal settings, Blogs section, and Pages section of the Shopify admin.\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/account.json with no permissions** - Information available on this endpoint is intentionally available to all staff regardless of assigned permissions.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n- **Lack of domain verification when adding a custom domain to your shop.**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim \n- Reports related to permitted password strength \n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License. \n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-01T18:31:12.326Z"},{"id":3644660,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $50,000 reflects that. \n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nWe pay our bounties based on CVSS scores using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/).\n\nHappy Hacking!\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of resolution (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat. \n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts \n\nBounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only** reward vulnerabilities with a CVSS score greater than 0. A CVSS score between 0 and 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. \n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity` and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues \n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the Legal settings and Blogs section of the Shopify admin.\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/account.json with no permissions** - Information available on this endpoint is intentionally available to all staff regardless of assigned permissions.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n- **Lack of domain verification when adding a custom domain to your shop.**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim \n- Reports related to permitted password strength \n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License. \n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-02T16:36:01.334Z"},{"id":3643444,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $50,000 reflects that. \n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nFor the month of October 2020, we are paying bounties based on CVSS scores using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/).\n\nHappy Hacking!\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of resolution (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n- Reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both hackers.\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat. \n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts \n\nFor the month of October, bounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only** reward vulnerabilities with a CVSS score greater than 0. A CVSS score between 0 and 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. \n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity` and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues \n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the Legal settings and Blogs section of the Shopify admin.\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/account.json with no permissions** - Information available on this endpoint is intentionally available to all staff regardless of assigned permissions.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n- **Lack of domain verification when adding a custom domain to your shop.**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim \n- Reports related to permitted password strength \n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License. \n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-10-07T18:13:06.602Z"},{"id":3643082,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $50,000 reflects that. \n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nFor the month of October 2020, we are paying bounties based on CVSS scores using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/).\n\nHappy Hacking!\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of resolution (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat. \n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts \n\nFor the month of October, bounty amounts will be determined using our [CVSS Bounty Calculator](https://shopify.github.io/appsec/cvss_calculator/). In most cases, we will **only** reward vulnerabilities with a CVSS score greater than 0. A CVSS score between 0 and 3 will result in a $500 bounty. Scores greater than or equal to 3 will be determined by the calculator. \n\nWhile our bounty table states the **minimum bounty** per severity, CVSS scores for non-core properties listed in scope will be determined with Environment Score modifiers set to Low for `Confidentiality`, `Integrity` and `Availability` Requirements.\n\n\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels. All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues \n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the Legal settings and Blogs section of the Shopify admin.\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/account.json with no permissions** - Information available on this endpoint is intentionally available to all staff regardless of assigned permissions.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n- **Lack of domain verification when adding a custom domain to your shop.**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim \n- Reports related to permitted password strength \n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License. \n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-10-01T13:21:23.070Z"},{"id":3642595,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $50,000 reflects that. \n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nHappy Hacking!\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of resolution (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat. \n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts \n\nIn most cases, we will **only** reward the type of vulnerabilities that are listed below. These payouts represent the typical amount awarded per category and we reserve the right to decrease or increase any of them based on our own assessment of impact. Bounty amounts for any vulnerability type not listed below will be determined on a case by case basis at the sole discretion of Shopify.\n\n*Prior bounty amounts awarded are not precedent for future payments.*\n\nType | Shopify Core | Non-Core\n--- | --- | ---\nArbitrary code execution | $20,000 - $50,000 | $10,000 - $25,000\nSQL Injection | $20,000 - $40,000 | $10,000 - $20,000\nPrivilege escalation to shop owner | $10,000 - $30,000 | $5,000 - $15,000\nAuthentication bypass - login | $5,000 - $10,000 | $2,000 - $5,000\nAuthentication bypass - app installation | $2,500 - $7,500 | $1000 - $3,750\nIDOR / Information Disclosure | $1,000 - $5,000 | $500 - $2,500\nCircumvention of user permission model | $500 - $4,000 | $500 - $2,000\nServer side request forgery | $500 - $4,000 | $500 - $2,000\nCross-site scripting - stored **(with known exceptions below)** | $500 - $5,000 | $500 - $2,500\nCross-site scripting - reflected **(with known exceptions below)** | $500 - $2,500 | $500 - $1,250\nCross-site scripting - self **(with exceptions below)** | $500 | $500\nCross-site request forgery | $500 - $1,500 | $500 - $750\nDenial of service **(with exceptions below)** | $500 - $1500 | $500\nOpen redirect **(with exceptions below)** | $500 - $1,000 | $500\n\n\n*\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels.*\n\n*All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.*\n\n*Self-XSS will be awarded at our sole discretion based on whether it's reasonable to believe a Shopify admin could be tricked into executing the payload (e.g., pasting a code snippet into an applicable text field) not covered in the exclusions below.*\n\n*Denial of service vulnerabilities significantly impacting application functionality will be awarded at our sole discretion, typically based on whether a single payload could render an entire application unavailable (e.g., rendering input which causes a store's /admin to no longer render for any user).*\n\n*Open Redirect vulnerabilities will be ineligible for a bounty unless additional security impact can be demonstrated, e.g., stealing authentication tokens.*\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues \n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the Legal settings and Blogs section of the Shopify admin.\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/account.json with no permissions** - Information available on this endpoint is intentionally available to all staff regardless of assigned permissions.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n- **Lack of domain verification when adding a custom domain to your shop.**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim \n- Reports related to permitted password strength \n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License. \n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-09-18T20:18:00.458Z"},{"id":3642125,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $50,000 reflects that. \n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nHappy Hacking!\n\n# Introduction\nShopify's bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of resolution (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n\n# Accounts\nWe encourage security researchers to sign up for a bug bounty partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat. \n\nYou must use a bug bounty partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the bug bounty program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts \n\nIn most cases, we will **only** reward the type of vulnerabilities that are listed below. These payouts represent the typical amount awarded per category and we reserve the right to decrease or increase any of them based on our own assessment of impact. Bounty amounts for any vulnerability type not listed below will be determined on a case by case basis at the sole discretion of Shopify.\n\n*Prior bounty amounts awarded are not precedent for future payments.*\n\nType | Shopify Core | Non-Core\n--- | --- | ---\nArbitrary code execution | $20,000 - $50,000 | $10,000 - $25,000\nSQL Injection | $20,000 - $40,000 | $10,000 - $20,000\nPrivilege escalation to shop owner | $10,000 - $30,000 | $5,000 - $15,000\nAuthentication bypass - login | $5,000 - $10,000 | $2,000 - $5,000\nAuthentication bypass - app installation | $2,500 - $7,500 | $1000 - $3,750\nIDOR / Information Disclosure | $1,000 - $5,000 | $500 - $2,500\nCircumvention of user permission model | $500 - $4,000 | $500 - $2,000\nServer side request forgery | $500 - $4,000 | $500 - $2,000\nCross-site scripting - stored **(with known exceptions below)** | $500 - $5,000 | $500 - $2,500\nCross-site scripting - reflected **(with known exceptions below)** | $500 - $2,500 | $500 - $1,250\nCross-site scripting - self **(with exceptions below)** | $500 | $500\nCross-site request forgery | $500 - $1,500 | $500 - $750\nDenial of service **(with exceptions below)** | $500 - $1500 | $500\nOpen redirect **(with exceptions below)** | $500 - $1,000 | $500\n\n\n*\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels.*\n\n*All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.*\n\n*Self-XSS will be awarded at our sole discretion based on whether it's reasonable to believe a Shopify admin could be tricked into executing the payload (e.g., pasting a code snippet into an applicable text field) not covered in the exclusions below.*\n\n*Denial of service vulnerabilities significantly impacting application functionality will be awarded at our sole discretion, typically based on whether a single payload could render an entire application unavailable (e.g., rendering input which causes a store's /admin to no longer render for any user).*\n\n*Open Redirect vulnerabilities will be ineligible for a bounty unless additional security impact can be demonstrated, e.g., stealing authentication tokens.*\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues \n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Issues relating to execution of JavaScript in the legacy Rich Text Editor in the Legal settings and Blogs section of the Shopify admin.\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/account.json with no permissions** - Information available on this endpoint is intentionally available to all staff regardless of assigned permissions.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim \n- Reports related to permitted password strength \n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the bug bounty program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (pre-validating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License. \n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-09-08T21:03:34.556Z"},{"id":3642025,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $50,000 reflects that. \n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nHappy Hacking!\n\n# Introduction\nShopify's whitehat program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of resolution (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n\n# Accounts\nWe encourage security researchers to sign up for a whitehat partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat. \n\nYou must use a whitehat partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the whitehat program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts \n\nIn most cases, we will **only** reward the type of vulnerabilities that are listed below. These payouts represent the typical amount awarded per category and we reserve the right to decrease or increase any of them based on our own assessment of impact. Bounty amounts for any vulnerability type not listed below will be determined on a case by case basis at the sole discretion of Shopify.\n\n*Prior bounty amounts awarded are not precedent for future payments.*\n\nType | Shopify Core | Non-Core\n--- | --- | ---\nArbitrary code execution | $20,000 - $50,000 | $10,000 - $25,000\nSQL Injection | $20,000 - $40,000 | $10,000 - $20,000\nPrivilege escalation to shop owner | $10,000 - $30,000 | $5,000 - $15,000\nAuthentication bypass - login | $5,000 - $10,000 | $2,000 - $5,000\nAuthentication bypass - app installation | $2,500 - $7,500 | $1000 - $3,750\nIDOR / Information Disclosure | $1,000 - $5,000 | $500 - $2,500\nCircumvention of user permission model | $500 - $4,000 | $500 - $2,000\nServer side request forgery | $500 - $4,000 | $500 - $2,000\nCross-site scripting - stored **(with known exceptions below)** | $500 - $5,000 | $500 - $2,500\nCross-site scripting - reflected **(with known exceptions below)** | $500 - $2,500 | $500 - $1,250\nCross-site scripting - self **(with exceptions below)** | $500 | $500\nCross-site request forgery | $500 - $1,500 | $500 - $750\nDenial of service **(with exceptions below)** | $500 - $1500 | $500\nOpen redirect **(with exceptions below)** | $500 - $1,000 | $500\n\n\n*\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels.*\n\n*All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.*\n\n*Self-XSS will be awarded at our sole discretion based on whether it's reasonable to believe a Shopify admin could be tricked into executing the payload (e.g., pasting a code snippet into an applicable text field) not covered in the exclusions below.*\n\n*Denial of service vulnerabilities significantly impacting application functionality will be awarded at our sole discretion, typically based on whether a single payload could render an entire application unavailable (e.g., rendering input which causes a store's /admin to no longer render for any user).*\n\n*Open Redirect vulnerabilities will be ineligible for a bounty unless additional security impact can be demonstrated, e.g., stealing authentication tokens.*\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues \n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/account.json with no permissions** - Information available on this endpoint is intentionally available to all staff regardless of assigned permissions.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim \n- Reports related to permitted password strength \n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the whitehat program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (prevalidating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License. \n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-09-03T21:45:29.922Z"},{"id":3639959,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $50,000 reflects that. \n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nHappy Hacking!\n\n# Introduction\nShopify's whitehat program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of resolution (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n\n# Accounts\nWe encourage security researchers to sign up for a whitehat partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat. \n\nYou must use a whitehat partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the whitehat program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts \n\nIn most cases, we will **only** reward the type of vulnerabilities that are listed below. These payouts represent the typical amount awarded per category and we reserve the right to decrease or increase any of them based on our own assessment of impact. Bounty amounts for any vulnerability type not listed below will be determined on a case by case basis at the sole discretion of Shopify.\n\n*Prior bounty amounts awarded are not precedent for future payments.*\n\nType | Shopify Core | Non-Core\n--- | --- | ---\nArbitrary code execution | $20,000 - $50,000 | $10,000 - $25,000\nSQL Injection | $20,000 - $40,000 | $10,000 - $20,000\nPrivilege escalation to shop owner | $10,000 - $30,000 | $5,000 - $15,000\nAuthentication bypass - login | $5,000 - $10,000 | $2,000 - $5,000\nAuthentication bypass - app installation | $2,500 - $7,500 | $1000 - $3,750\nIDOR / Information Disclosure | $1,000 - $5,000 | $500 - $2,500\nCircumvention of user permission model | $500 - $4,000 | $500 - $2,000\nServer side request forgery | $500 - $4,000 | $500 - $2,000\nCross-site scripting - stored **(with known exceptions below)** | $500 - $5,000 | $500 - $2,500\nCross-site scripting - reflected **(with known exceptions below)** | $500 - $2,500 | $500 - $1,250\nCross-site scripting - self **(with exceptions below)** | $500 | $500\nCross-site request forgery | $500 - $1,500 | $500 - $750\nDenial of service **(with exceptions below)** | $500 - $1500 | $500\nOpen redirect **(with exceptions below)** | $500 - $1,000 | $500\n\n\n*\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels.*\n\n*All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.*\n\n*Self-XSS will be awarded at our sole discretion based on whether it's reasonable to believe a Shopify admin could be tricked into executing the payload (e.g., pasting a code snippet into an applicable text field) not covered in the exclusions below.*\n\n*Denial of service vulnerabilities significantly impacting application functionality will be awarded at our sole discretion, typically based on whether a single payload could render an application unavailable (e.g., rendering input which causes a store's /admin to no longer render for any user).*\n\n*Open Redirect vulnerabilities will be ineligible for a bounty unless additional security impact can be demonstrated, e.g., stealing authentication tokens.*\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues \n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/account.json with no permissions** - Information available on this endpoint is intentionally available to all staff regardless of assigned permissions.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim \n- Reports related to permitted password strength \n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the whitehat program without notice at any time.\n- Contacting Shopify Support by any means in relation to this bounty program (prevalidating reports, testing against support, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License. \n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-22T13:50:54.077Z"},{"id":3638297,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $50,000 reflects that. \n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nHappy Hacking!\n\n# Introduction\nShopify's whitehat program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of resolution (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n\n# Accounts\nWe encourage security researchers to sign up for a whitehat partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat. \n\nYou must use a whitehat partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the whitehat program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts \n\nIn most cases, we will **only** reward the type of vulnerabilities that are listed below. These payouts represent the typical amount awarded per category and we reserve the right to decrease or increase any of them based on our own assessment of impact. Bounty amounts for any vulnerability type not listed below will be determined on a case by case basis at the sole discretion of Shopify.\n\n*Prior bounty amounts awarded are not precedent for future payments.*\n\nType | Shopify Core | Non-Core\n--- | --- | ---\nArbitrary code execution | $20,000 - $50,000 | $10,000 - $25,000\nSQL Injection | $20,000 - $40,000 | $10,000 - $20,000\nPrivilege escalation to shop owner | $10,000 - $30,000 | $5,000 - $15,000\nAuthentication bypass - login | $5,000 - $10,000 | $2,000 - $5,000\nAuthentication bypass - app installation | $2,500 - $7,500 | $1000 - $3,750\nIDOR / Information Disclosure | $1,000 - $5,000 | $500 - $2,500\nCircumvention of user permission model | $500 - $4,000 | $500 - $2,000\nServer side request forgery | $500 - $4,000 | $500 - $2,000\nCross-site scripting - stored **(with known exceptions below)** | $500 - $5,000 | $500 - $2,500\nCross-site scripting - reflected **(with known exceptions below)** | $500 - $2,500 | $500 - $1,250\nCross-site scripting - self **(with exceptions below)** | $500 | $500\nCross-site request forgery | $500 - $1,500 | $500 - $750\nDenial of service **(with exceptions below)** | $500 - $1500 | $500\nOpen redirect **(with exceptions below)** | $500 - $1,000 | $500\n\n\n*\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels.*\n\n*All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.*\n\n*Self-XSS will be awarded at our sole discretion based on whether it's reasonable to believe a Shopify admin could be tricked into executing the payload (e.g., pasting a code snippet into an applicable text field) not covered in the exclusions below.*\n\n*Denial of service vulnerabilities significantly impacting application functionality will be awarded at our sole discretion, typically based on whether a single payload could render an application unavailable (e.g., rendering input which causes a store's /admin to no longer render for any user).*\n\n*Open Redirect vulnerabilities will be ineligible for a bounty unless additional security impact can be demonstrated, e.g., stealing authentication tokens.*\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues \n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/account.json with no permissions** - Information available on this endpoint is intentionally available to all staff regardless of assigned permissions.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Mobile application biometrics bypass**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim \n- Reports related to permitted password strength \n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the whitehat program without notice at any time.\n- Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License. \n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-06-22T19:38:11.268Z"},{"id":3636001,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $50,000 reflects that. \n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nHappy Hacking!\n\n# Introduction\nShopify's whitehat program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of resolution (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n\n# Accounts\nWe encourage security researchers to sign up for a whitehat partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat. \n\nYou must use a whitehat partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the whitehat program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts \n\nIn most cases, we will **only** reward the type of vulnerabilities that are listed below. These payouts represent the typical amount awarded per category and we reserve the right to decrease or increase any of them based on our own assessment of impact. Bounty amounts for any vulnerability type not listed below will be determined on a case by case basis at the sole discretion of Shopify.\n\n*Prior bounty amounts awarded are not precedent for future payments.*\n\nType | Shopify Core | Non-Core\n--- | --- | ---\nArbitrary code execution | $20,000 - $50,000 | $10,000 - $25,000\nSQL Injection | $20,000 - $40,000 | $10,000 - $20,000\nPrivilege escalation to shop owner | $10,000 - $30,000 | $5,000 - $15,000\nAuthentication bypass - login | $5,000 - $10,000 | $2,000 - $5,000\nAuthentication bypass - app installation | $2,500 - $7,500 | $1000 - $3,750\nIDOR / Information Disclosure | $1,000 - $5,000 | $500 - $2,500\nCircumvention of user permission model | $500 - $4,000 | $500 - $2,000\nServer side request forgery | $500 - $4,000 | $500 - $2,000\nCross-site scripting - stored **(with known exceptions below)** | $500 - $5,000 | $500 - $2,500\nCross-site scripting - reflected **(with known exceptions below)** | $500 - $2,500 | $500 - $1,250\nCross-site scripting - self **(with exceptions below)** | $500 | $500\nCross-site request forgery | $500 - $1,500 | $500 - $750\nDenial of service **(with exceptions below)** | $500 - $1500 | $500\nOpen redirect **(with exceptions below)** | $500 - $1,000 | $500\n\n\n*\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels.*\n\n*All other scopes are part of the \"Non-Core\" category. This category includes shopifykloud.com, the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.*\n\n*Self-XSS will be awarded at our sole discretion based on whether it's reasonable to believe a Shopify admin could be tricked into executing the payload (e.g., pasting a code snippet into an applicable text field) not covered in the exclusions below.*\n\n*Denial of service vulnerabilities significantly impacting application functionality will be awarded at our sole discretion, typically based on whether a single payload could render an application unavailable (e.g., rendering input which causes a store's /admin to no longer render for any user).*\n\n*Open Redirect vulnerabilities will be ineligible for a bounty unless additional security impact can be demonstrated, e.g., stealing authentication tokens.*\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues \n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/account.json with no permissions** - Information available on this endpoint is intentionally available to all staff regardless of assigned permissions.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim \n- Reports related to permitted password strength \n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the whitehat program without notice at any time.\n- Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License. \n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-05-08T14:03:27.859Z"},{"id":3633732,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $50,000 reflects that. \n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nHappy Hacking!\n\n# Introduction\nShopify's whitehat program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of resolution (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n\n# Accounts\nWe encourage security researchers to sign up for a whitehat partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat. \n\nYou must use a whitehat partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the whitehat program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts \n\nIn most cases, we will **only** reward the type of vulnerabilities that are listed below. These payouts represent the typical amount awarded per category and we reserve the right to decrease or increase any of them based on our own assessment of impact. Bounty amounts for any vulnerability type not listed below will be determined on a case by case basis at the sole discretion of Shopify.\n\n*Prior bounty amounts awarded are not precedent for future payments.*\n\nType | Shopify Core | Non-Core\n--- | --- | ---\nArbitrary code execution | $20,000 - $50,000 | $10,000 - $25,000\nSQL Injection | $20,000 - $40,000 | $10,000 - $20,000\nPrivilege escalation to shop owner | $10,000 - $30,000 | $5,000 - $15,000\nAuthentication bypass - login | $5,000 - $10,000 | $2,000 - $5,000\nAuthentication bypass - app installation | $2,500 - $7,500 | $1000 - $3,750\nIDOR / Information Disclosure | $1,000 - $5,000 | $500 - $2,500\nCircumvention of user permission model | $500 - $4,000 | $500 - $2,000\nServer side request forgery | $500 - $4,000 | $500 - $2,000\nCross-site scripting - stored **(with known exceptions below)** | $500 - $5,000 | $500 - $2,500\nCross-site scripting - reflected **(with known exceptions below)** | $500 - $2,500 | $500 - $1,250\nCross-site scripting - self **(with exceptions below)** | $500 | $500\nCross-site request forgery | $500 - $1,500 | $500 - $750\nDenial of service **(with exceptions below)** | $500 - $1500 | $500\nOpen redirect **(with exceptions below)** | $500 - $1,000 | $500\n\n\n*\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels.*\n\n*All other scopes are part of the \"Non-Core\" category. This category includes the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.*\n\n*Self-XSS will be awarded at our sole discretion based on whether it's reasonable to believe a Shopify admin could be tricked into executing the payload (e.g., pasting a code snippet into an applicable text field) not covered in the exclusions below.*\n\n*Denial of service vulnerabilities significantly impacting application functionality will be awarded at our sole discretion, typically based on whether a single payload could render an application unavailable (e.g., rendering input which causes a store's /admin to no longer render for any user).*\n\n*Open Redirect vulnerabilities will be ineligible for a bounty unless additional security impact can be demonstrated, e.g., stealing authentication tokens.*\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](https://www.google.com/about/appsecurity/play-rewards/). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Reward Criteria](https://www.google.com/about/appsecurity/play-rewards/).\n\n# Known issues \n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/account.json with no permissions** - Information available on this endpoint is intentionally available to all staff regardless of assigned permissions.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim \n- Reports related to permitted password strength \n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the whitehat program without notice at any time.\n- Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License. \n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-03-23T15:46:40.110Z"},{"id":3629984,"new_policy":"# TL;DR\nMerchant trust and safety is our #1 priority; our maximum bounty of $50,000 reflects that. \n\nIf you submit a valid and bounty eligible report, we will pay you within 7 days of triage. To participate, you must only test against accounts you create with a `@wearehackerone.com` email address. We have a list of known issues you should review before reporting.\n\nHappy Hacking!\n\n# Introduction\nShopify's whitehat program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports\n- Award bounties within a week of resolution (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n\n# Accounts\nWe encourage security researchers to sign up for a whitehat partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat. \n\nYou must use a whitehat partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the whitehat program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts \n\nIn most cases, we will **only** reward the type of vulnerabilities that are listed below. These payouts represent the typical amount awarded per category and we reserve the right to decrease or increase any of them based on our own assessment of impact. Bounty amounts for any vulnerability type not listed below will be determined on a case by case basis at the sole discretion of Shopify.\n\n*Prior bounty amounts awarded are not precedent for future payments.*\n\nType | Shopify Core | Non-Core\n--- | --- | ---\nArbitrary code execution | $20,000 - $50,000 | $10,000 - $25,000\nSQL Injection | $20,000 - $40,000 | $10,000 - $20,000\nPrivilege escalation to shop owner | $10,000 - $30,000 | $5,000 - $15,000\nAuthentication bypass - login | $5,000 - $10,000 | $2,000 - $5,000\nAuthentication bypass - app installation | $2,500 - $7,500 | $1000 - $3,750\nIDOR / Information Disclosure | $1,000 - $5,000 | $500 - $2,500\nCircumvention of user permission model | $500 - $4,000 | $500 - $2,000\nServer side request forgery | $500 - $4,000 | $500 - $2,000\nCross-site scripting - stored **(with known exceptions below)** | $500 - $5,000 | $500 - $2,500\nCross-site scripting - reflected **(with known exceptions below)** | $500 - $2,500 | $500 - $1,250\nCross-site scripting - self **(with exceptions below)** | $500 | $500\nCross-site request forgery | $500 - $1,500 | $500 - $750\nDenial of service **(with exceptions below)** | $500 - $1500 | $500\nOpen redirect **(with exceptions below)** | $500 - $1,000 | $500\n\n\n*\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels.*\n\n*All other scopes are part of the \"Non-Core\" category. This category includes the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.*\n\n*Self-XSS will be awarded at our sole discretion based on whether it's reasonable to believe a Shopify admin could be tricked into executing the payload (e.g., pasting a code snippet into an applicable text field) not covered in the exclusions below.*\n\n*Denial of service vulnerabilities significantly impacting application functionality will be awarded at our sole discretion, typically based on whether a single payload could render an application unavailable (e.g., rendering input which causes a store's /admin to no longer render for any user).*\n\n*Open Redirect vulnerabilities will be ineligible for a bounty unless additional security impact can be demonstrated, e.g., stealing authentication tokens.*\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](hackerone.com/googleplay). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](hackerone.com/googleplay).\n\n# Known issues \n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/account.json with no permissions** - Information available on this endpoint is intentionally available to all staff regardless of assigned permissions.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim \n- Reports related to permitted password strength \n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the whitehat program without notice at any time.\n- Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License. \n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-02-06T16:00:47.051Z"},{"id":3629459,"new_policy":"# Introduction\nShopify's whitehat program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Determine security impacts transparently\n- Award bounties within a week of resolution (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n\n**All valid vulnerabilities will be awarded our minimum amount, $500, on triage with the remainder awarded on resolution.** \n\n# Accounts\nWe encourage security researchers to sign up for a whitehat partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat. \n\nYou must use a whitehat partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the whitehat program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts \n\nIn most cases, we will **only** reward the type of vulnerabilities that are listed below. These payouts represent the typical amount awarded per category and we reserve the right to decrease or increase any of them based on our own assessment of impact. Bounty amounts for any vulnerability type not listed below will be determined on a case by case basis at the sole discretion of Shopify.\n\n*Prior bounty amounts awarded are not precedent for future payments.*\n\nType | Shopify Core | Non-Core\n--- | --- | ---\nArbitrary code execution | $10,000 - $25,000 | $2,500 - $12,500\nSQL Injection | $10,000 - $20,000 | $2,500 - $10,000\nPrivilege escalation to shop owner | $5,000 - $15,000 | $2,000 - $7,500\nAuthentication bypass - login | $5,000 - $10,000 | $2,000 - $5,000\nAuthentication bypass - app installation | $2,500 - $7,500 | $1000 - $3,750\nIDOR / Information Disclosure | $1,000 - $5,000 | $500 - $2,500\nCircumvention of user permission model | $500 - $4,000 | $500 - $2,000\nServer side request forgery | $500 - $4,000 | $500 - $2,000\nCross-site scripting - stored **(with known exceptions below)** | $500 - $5,000 | $500 - $2,500\nCross-site scripting - reflected **(with known exceptions below)** | $500 - $2,500 | $500 - $1,250\nCross-site scripting - self **(with exceptions below)** | $500 | $500\nCross-site request forgery | $500 - $1,500 | $500 - $750\nDenial of service **(with exceptions below)** | $500 - $1500 | $500\nOpen redirect **(with exceptions below)** | $500 - $1,000 | $500\n\n\n*\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels.*\n\n*All other scopes are part of the \"Non-Core\" category. This category includes the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.*\n\n*Self-XSS will be awarded at our sole discretion based on whether it's reasonable to believe a Shopify admin could be tricked into executing the payload (e.g., pasting a code snippet into an applicable text field) not covered in the exclusions below.*\n\n*Denial of service vulnerabilities significantly impacting application functionality will be awarded at our sole discretion, typically based on whether a single payload could render an application unavailable (e.g., rendering input which causes a store's /admin to no longer render for any user).*\n\n*Open Redirect vulnerabilities will be ineligible for a bounty unless additional security impact can be demonstrated, e.g., stealing authentication tokens.*\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](hackerone.com/googleplay). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](hackerone.com/googleplay).\n\n# Known issues \n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/account.json with no permissions** - Information available on this endpoint is intentionally available to all staff regardless of assigned permissions.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim \n- Reports related to permitted password strength \n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the whitehat program without notice at any time.\n- Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License. \n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-01-29T18:28:28.517Z"},{"id":3621994,"new_policy":"# Introduction\nShopify's whitehat program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Determine security impacts transparently\n- Award bounties within a week of resolution (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n\n**All valid vulnerabilities will be awarded our minimum amount, $500, on triage with the remainder awarded on resolution.** \n\n# Accounts\nWe encourage security researchers to sign up for a whitehat partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://partners.shopify.com/signup/whitehat. \n\nYou must use a whitehat partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the whitehat program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts \n\nIn most cases, we will **only** reward the type of vulnerabilities that are listed below. These payouts represent the typical amount awarded per category and we reserve the right to decrease or increase any of them based on our own assessment of impact. Bounty amounts for any vulnerability type not listed below will be determined on a case by case basis at the sole discretion of Shopify.\n\n*Prior bounty amounts awarded are not precedent for future payments.*\n\nType | Shopify Core | Non-Core\n--- | --- | ---\nArbitrary code execution | $10,000 - $25,000 | $2,500 - $12,500\nSQL Injection | $10,000 - $20,000 | $2,500 - $10,000\nPrivilege escalation to shop owner | $5,000 - $15,000 | $2,000 - $7,500\nAuthentication bypass - login | $5,000 - $10,000 | $2,000 - $5,000\nAuthentication bypass - app installation | $2,500 - $7,500 | $1000 - $3,750\nIDOR / Information Disclosure | $1,000 - $5,000 | $500 - $2,500\nCircumvention of user permission model | $500 - $4,000 | $500 - $2,000\nServer side request forgery | $500 - $4,000 | $500 - $2,000\nCross-site scripting - stored **(with exceptions below)** | $500 - $5,000 | $500 - $2,500\nCross-site scripting - reflected **(with exceptions below)**| $500 - $2,500 | $500 - $1,250\nCross-site scripting - self **(with exceptions below)**| $500 | $500\nCross-site request forgery | $500 - $1,500 | $500 - $750\nDenial of service **(with exceptions below)** | $500 - $1500 | $500\n\n*\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels.*\n\n*All other scopes are part of the \"Non-Core\" category. This category includes the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.*\n\n*Self-XSS will be awarded at our sole discretion based on whether it's reasonable to believe a Shopify admin could be tricked into executing the payload (e.g., pasting a code snippet into an applicable text field) not covered in the exclusions below.*\n\n*Denial of service vulnerabilities significantly impacting application functionality will be awarded at our sole discretion, typically based on whether a single payload could render an application unavailable (e.g., rendering input which causes a store's /admin to no longer render for any user).*\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](hackerone.com/googleplay). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](hackerone.com/googleplay).\n\n# Known issues \n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/account.json with no permissions** - Information available on this endpoint is intentionally available to all staff regardless of assigned permissions.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Open redirects** - Unless an additional security impact can be demonstrated, e.g. stealing authentication tokens or XSS\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim \n- Reports related to permitted password strength \n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the whitehat program without notice at any time.\n- Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License. \n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-10-23T12:35:53.794Z"},{"id":3618853,"new_policy":"# Introduction\nShopify's whitehat program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Determine security impacts transparently\n- Award bounties within a week of resolution (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n\n**All valid vulnerabilities will be awarded our minimum amount, $500, on triage with the remainder awarded on resolution.** \n\n# Accounts\nWe encourage security researchers to sign up for a whitehat partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://app.shopify.com/services/partners/signup/whitehat. \n\nYou must use a whitehat partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the whitehat program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts \n\nIn most cases, we will **only** reward the type of vulnerabilities that are listed below. These payouts represent the typical amount awarded per category and we reserve the right to decrease or increase any of them based on our own assessment of impact. Bounty amounts for any vulnerability type not listed below will be determined on a case by case basis at the sole discretion of Shopify.\n\n*Prior bounty amounts awarded are not precedent for future payments.*\n\nType | Shopify Core | Non-Core\n--- | --- | ---\nArbitrary code execution | $10,000 - $25,000 | $2,500 - $12,500\nSQL Injection | $10,000 - $20,000 | $2,500 - $10,000\nPrivilege escalation to shop owner | $5,000 - $15,000 | $2,000 - $7,500\nAuthentication bypass - login | $5,000 - $10,000 | $2,000 - $5,000\nAuthentication bypass - app installation | $2,500 - $7,500 | $1000 - $3,750\nIDOR / Information Disclosure | $1,000 - $5,000 | $500 - $2,500\nCircumvention of user permission model | $500 - $4,000 | $500 - $2,000\nServer side request forgery | $500 - $4,000 | $500 - $2,000\nCross-site scripting - stored **(with exceptions below)** | $500 - $5,000 | $500 - $2,500\nCross-site scripting - reflected **(with exceptions below)**| $500 - $2,500 | $500 - $1,250\nCross-site scripting - self **(with exceptions below)**| $500 | $500\nCross-site request forgery | $500 - $1,500 | $500 - $750\nDenial of service **(with exceptions below)** | $500 - $1500 | $500\n\n*\"Shopify Core\" includes your-store.myshopify.com, accounts.shopify.com and partners.shopify.com. It does not include Shopify apps or sales channels.*\n\n*All other scopes are part of the \"Non-Core\" category. This category includes the Shopify App Store, Shopify Theme Store, Shopify Experts, apps and sales channels built by Shopify, as well as our mobile applications.*\n\n*Self-XSS will be awarded at our sole discretion based on whether it's reasonable to believe a Shopify admin could be tricked into executing the payload (e.g., pasting a code snippet into an applicable text field) not covered in the exclusions below.*\n\n*Denial of service vulnerabilities significantly impacting application functionality will be awarded at our sole discretion, typically based on whether a single payload could render an application unavailable (e.g., rendering input which causes a store's /admin to no longer render for any user).*\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](hackerone.com/googleplay). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](hackerone.com/googleplay).\n\n# Known issues \n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/account.json with no permissions** - Information available on this endpoint is intentionally available to all staff regardless of assigned permissions.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Open redirects** - Unless an additional security impact can be demonstrated, e.g. stealing authentication tokens or XSS\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim \n- Reports related to permitted password strength \n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the whitehat program without notice at any time.\n- Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License. \n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-09-11T15:20:20.977Z"},{"id":3614051,"new_policy":"# Introduction\nShopify's whitehat program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Determine security impacts transparently\n- Award bounties within a week of resolution (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n\n**All valid vulnerabilities will be awarded our minimum amount, $500, on triage with the remainder awarded on resolution.** \n\n# Accounts\nWe encourage security researchers to sign up for a whitehat partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://app.shopify.com/services/partners/signup/whitehat. \n\nYou must use a whitehat partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the whitehat program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), our [sandboxed script execution environment](https://github.com/Shopify/ess), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts \n\nIn most cases, we will **only** reward the type of vulnerabilities that are listed below. These payouts represent the typical amount awarded per category and we reserve the right to decrease or increase any of them based on our own assessment of impact. Bounty amounts for any vulnerability type not listed below will be determined on a case by case basis at the sole discretion of Shopify.\n\n*Prior bounty amounts awarded are not precedent for future payments.*\n\nType | Shopify Core* | Non-Core**\n--- | --- | ---\nArbitrary code execution | $10,000 - $25,000 | $2,500 - $12,500\nSQL Injection | $10,000 - $20,000 | $2,500 - $10,000\nPrivilege escalation to shop owner | $5,000 - $15,000 | $2,000 - $7,500\nAuthentication bypass - login | $5,000 - $10,000 | $2,000 - $5,000\nAuthentication bypass - app installation | $2,500 - $7,500 | $1000 - $3,750\nIDOR / Information Disclosure | $1,000 - $5,000 | $500 - $2,500\nCircumvention of user permission model | $500 - $4,000 | $500 - $2,000\nServer side request forgery | $500 - $4,000 | $500 - $2,000\nCross-site scripting - stored **(with exceptions below)** | $500 - $5,000 | $500 - $2,500\nCross-site scripting - reflected **(with exceptions below)**| $500 - $2,500 | $500 - $1,250\nCross-site scripting - self **(with exceptions below)**| $500 | $500\nCross-site request forgery | $500 - $1,500 | $500 - $750\nDenial of service **(with exceptions below)** | $500 - $1500 | $500\n\n*Self-XSS will be awarded at our sole discretion based on whether it's reasonable to believe a Shopify admin could be tricked into executing the payload (e.g., pasting a code snippet into an applicable text field) not covered in the exclusions below.*\n\n*Denial of service vulnerabilities significantly impacting application functionality will be awarded at our sole discretion, typically based on whether a single payload could render an application unavailable (e.g., rendering input which causes a store's /admin to no longer render for any user).*\n\n*Core means your Shopify store front and administrative pages at /admin. It does not include Shopify apps or sales channels.*\n\n*Non-core means other in-scope properties not found at YOURSTORE.myshopify.com, including Shopify apps and sales channels, https://apps.shopify.com/collections/made-by-shopify*\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](hackerone.com/googleplay). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](hackerone.com/googleplay).\n\n# Known issues \n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Insecure cookie handling for account identifying cookies**\n- **Staff access to /admin/settings/account.json with no permissions** - Information available on this endpoint is intentionally available to all staff regardless of assigned permissions.\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Open redirects** - Unless an additional security impact can be demonstrated, e.g. stealing authentication tokens or XSS\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Distributed Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim \n- Reports related to permitted password strength \n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the whitehat program without notice at any time.\n- Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License. \n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-07-16T14:20:53.137Z"},{"id":3600646,"new_policy":"# Introduction\nShopify's whitehat program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Determine security impacts transparently\n- Award bounties within a week of resolution (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n\n**All valid vulnerabilities will be awarded our minimum amount, $500, on triage with the remainder awarded on resolution.** \n\n# Accounts\nWe encourage security researchers to sign up for a whitehat partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://app.shopify.com/services/partners/signup/whitehat. \n\nYou must use a whitehat partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the whitehat program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts \n\nIn most cases, we will **only** reward the type of vulnerabilities that are listed below. These payouts represent the typical amount awarded per category and we reserve the right to decrease or increase any of them based on our own assessment of impact. Bounty amounts for any vulnerability type not listed below will be determined on a case by case basis at the sole discretion of Shopify.\n\n*Prior bounty amounts awarded are not precedent for future payments.*\n\nType | Shopify Core* | Non-Core**\n--- | --- | ---\nArbitrary code execution | $10,000 - $25,000 | $2,500 - $12,500\nSQL Injection | $10,000 - $20,000 | $2,500 - $10,000\nPrivilege escalation to shop owner | $5,000 - $15,000 | $2,000 - $7,500\nAuthentication bypass - login | $5,000 - $10,000 | $2,000 - $5,000\nAuthentication bypass - app installation | $2,500 - $7,500 | $1000 - $3,750\nIDOR / Information Disclosure | $1,000 - $5,000 | $500 - $2,500\nCircumvention of user permission model | $500 - $4,000 | $500 - $2,000\nServer side request forgery | $500 - $4,000 | $500 - $2,000\nCross-site scripting - stored **(with exceptions below)** | $500 - $5,000 | $500 - $2,500\nCross-site scripting - reflected **(with exceptions below)**| $500 - $2,500 | $500 - $1,250\nCross-site scripting - self **(with exceptions below)**| $500 | $500\nCross-site request forgery | $500 - $1,500 | $500 - $750\n\n*Self-XSS will be awarded at our sole discretion based on whether it's reasonable to believe a Shopify admin could be tricked into executing the payload (e.g., pasting a code snippet into an applicable text field) not covered in the exclusions below.*\n\n*Core means your Shopify store front and administrative pages at /admin. It does not include Shopify apps or sales channels.*\n\n*Non-core means other in-scope properties not found at YOURSTORE.myshopify.com, including Shopify apps and sales channels, https://apps.shopify.com/collections/made-by-shopify*\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](hackerone.com/googleplay). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](hackerone.com/googleplay).\n\n# Known issues \n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **Insecure cookie handling for account identifying cookies**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Open redirects** - Unless an additional security impact can be demonstrated, e.g. stealing authentication tokens or XSS\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim \n- Reports related to permitted password strength \n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on physical access to the device or debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the whitehat program without notice at any time.\n- Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License. \n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our [Core Change Log](https://changelog.shopify.com/) and [Partners Blog](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-01-16T19:54:43.556Z"},{"id":3590390,"new_policy":"# Introduction\nShopify's whitehat program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Determine security impacts transparently\n- Award bounties within a week of resolution (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n\n**All valid vulnerabilities will be awarded our minimum amount, $500, on triage with the remainder awarded on resolution.** \n\n# Accounts\nWe encourage security researchers to sign up for a whitehat partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://app.shopify.com/services/partners/signup/whitehat. \n\nYou must use a whitehat partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the whitehat program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts \n\nIn most cases, we will **only** reward the type of vulnerabilities that are listed below. These payouts represent the typical amount awarded per category and we reserve the right to decrease or increase any of them based on our own assessment of impact. Bounty amounts for any vulnerability type not listed below will be determined on a case by case basis at the sole discretion of Shopify.\n\n*Prior bounty amounts awarded are not precedent for future payments.*\n\nType | Shopify Core* | Non-Core**\n--- | --- | ---\nArbitrary code execution | $10,000 - $25,000 | $2,500 - $12,500\nSQL Injection | $10,000 - $20,000 | $2,500 - $10,000\nPrivilege escalation to shop owner | $5,000 - $15,000 | $2,000 - $7,500\nAuthentication bypass - login | $5,000 - $10,000 | $2,000 - $5,000\nAuthentication bypass - app installation | $2,500 - $7,500 | $1000 - $3,750\nIDOR / Information Disclosure | $1,000 - $5,000 | $500 - $2,500\nCircumvention of user permission model | $500 - $4,000 | $500 - $2,000\nServer side request forgery | $500 - $4,000 | $500 - $2,000\nCross-site scripting - stored **(with exceptions below)** | $500 - $5,000 | $500 - $2,500\nCross-site scripting - reflected **(with exceptions below)**| $500 - $2,500 | $500 - $1,250\nCross-site scripting - self **(with exceptions below)**| $500 | $500\nCross-site request forgery | $500 - $1,500 | $500 - $750\n\n*Self-XSS will be awarded at our sole discretion based on whether it's reasonable to believe a Shopify admin could be tricked into executing the payload (e.g., pasting a code snippet into an applicable text field) not covered in the exclusions below.*\n\n*Core means your Shopify store front and administrative pages at /admin. It does not include Shopify apps or sales channels.*\n\n*Non-core means other in-scope properties not found at YOURSTORE.myshopify.com, including Shopify apps and sales channels, https://apps.shopify.com/collections/made-by-shopify*\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](hackerone.com/googleplay). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](hackerone.com/googleplay).\n\n# Known issues \n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **Insecure cookie handling for account identifying cookies**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Open redirects** - Unless an additional security impact can be demonstrated, e.g. stealing authentication tokens or XSS\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Unconfirmed reports from automated vulnerability scanners\n- Disclosure of server or software version numbers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim \n- Reports related to permitted password strength \n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on physical access to the device or debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the whitehat program without notice at any time.\n- Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License. \n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our blog under [Product Updates](https://www.shopify.ca/blog/topics/product-updates) and our Partners Blog under [Shopify News](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-10-02T14:32:29.860Z"},{"id":3588082,"new_policy":"# Introduction\nShopify's whitehat program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Determine security impacts transparently\n- Award bounties within a week of resolution (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n\n**All valid vulnerabilities will be awarded our minimum amount, $500, on triage with the remainder awarded on resolution.** \n\n# Accounts\nWe encourage security researchers to sign up for a whitehat partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://app.shopify.com/services/partners/signup/whitehat. \n\nYou must use a whitehat partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the whitehat program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts \n\nIn most cases, we will **only** reward the type of vulnerabilities that are listed below. These payouts represent the typical amount awarded per category and we reserve the right to decrease or increase any of them based on our own assessment of impact. Bounty amounts for any vulnerability type not listed below will be determined on a case by case basis at the sole discretion of Shopify.\n\n*Prior bounty amounts awarded are not precedent for future payments.*\n\nType | Shopify Core* | Non-Core**\n--- | --- | ---\nArbitrary code execution | $10,000 - $25,000 | $2,500 - $12,500\nSQL Injection | $10,000 - $20,000 | $2,500 - $10,000\nPrivilege escalation to shop owner | $5,000 - $15,000 | $2,000 - $7,500\nAuthentication bypass - login | $5,000 - $10,000 | $2,000 - $5,000\nAuthentication bypass - app installation | $2,500 - $7,500 | $1000 - $3,750\nIDOR / Information Disclosure | $1,000 - $5,000 | $500 - $2,500\nCircumvention of user permission model | $500 - $4,000 | $500 - $2,000\nServer side request forgery | $500 - $4,000 | $500 - $2,000\nCross-site scripting - stored **(with exceptions below)** | $500 - $5,000 | $500 - $2,500\nCross-site scripting - reflected **(with exceptions below)**| $500 - $2,500 | $500 - $1,250\nCross-site scripting - self **(with exceptions below)**| $500 | $500\nCross-site request forgery | $500 - $1,500 | $500 - $750\n\n*Self-XSS will be awarded at our sole discretion based on whether it's reasonable to believe a Shopify admin could be tricked into executing the payload (e.g., pasting a code snippet into an applicable text field) not covered in the exclusions below.*\n\n*Core means your Shopify store front and administrative pages at /admin. It does not include Shopify apps or sales channels.*\n\n*Non-core means other in-scope properties not found at YOURSTORE.myshopify.com, including Shopify apps and sales channels, https://apps.shopify.com/collections/made-by-shopify*\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](hackerone.com/googleplay). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](hackerone.com/googleplay).\n\n# Known issues \n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **Insecure cookie handling for account identifying cookies**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Open redirects** - Unless an additional security impact can be demonstrated, e.g. stealing authentication tokens or XSS\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Unconfirmed reports from automated vulnerability scanners\n- Server and software versions included in HTTP response headers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim \n- Reports related to permitted password strength \n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on physical access to the device or debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the whitehat program without notice at any time.\n- Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License. \n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our blog under [Product Updates](https://www.shopify.ca/blog/topics/product-updates) and our Partners Blog under [Shopify News](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-09-06T19:54:47.088Z"},{"id":3582864,"new_policy":"# Introduction\nShopify's whitehat program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Determine security impacts transparently\n- Award bounties within a week of resolution (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n\n**All valid vulnerabilities will be awarded our minimum amount, $500, on triage with the remainder awarded on resolution.** \n\n# Accounts\nWe encourage security researchers to sign up for a whitehat partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://app.shopify.com/services/partners/signup/whitehat. \n\nYou must use a whitehat partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the whitehat program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts \n\nIn most cases, we will **only** reward the type of vulnerabilities that are listed below. These payouts represent the typical amount awarded per category and we reserve the right to decrease or increase any of them based on our own assessment of impact. Bounty amounts for any vulnerability type not listed below will be determined on a case by case basis at the sole discretion of Shopify.\n\n*Prior bounty amounts awarded are not precedent for future payments.*\n\nType | Shopify Core* | Non-Core**\n--- | --- | ---\nArbitrary code execution | $10,000 - $25,000 | $2,000 - $5,000\nSQL Injection | $10,000 - $20,000 | $2,500 - $5,000\nPrivilege escalation to shop owner | $5,000 - $15,000 | $1,000 - $3,000\nAuthentication bypass - login | $5,000 - $10,000 | $1,000 - $2,000\nAuthentication bypass - app installation | $2,500 - $7,500 | $500 - $1,500\nIDOR / Information Disclosure | $1,000 - $5,000 | $500 - $1,000\nCircumvention of user permission model | $500 - $4,000 | $500 - $1,000\nServer side request forgery | $500 - $4,000 | $500 - $1,000\nCross-site scripting - stored **(with exceptions below)** | $500 - $5,000 | $500 - $1,000\nCross-site scripting - reflected **(with exceptions below)**| $500 - $2,500 | $500\nCross-site scripting - self **(with exceptions below)**| $500 | $500\nCross-site request forgery | $500 - $1,500 | $500\n\n*Self-XSS will be awarded at our sole discretion based on whether it's reasonable to believe a Shopify admin could be tricked into executing the payload (e.g., pasting a code snippet into an applicable text field) not covered in the exclusions below.*\n\n*Core means your Shopify store front and administrative pages at /admin. It does not include Shopify apps or sales channels.*\n\n*Non-core means other in-scope properties not found at YOURSTORE.myshopify.com, including Shopify apps and sales channels, https://apps.shopify.com/collections/made-by-shopify*\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](hackerone.com/googleplay). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](hackerone.com/googleplay).\n\n# Known issues \n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **Insecure cookie handling for account identifying cookies**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Open redirects** - Unless an additional security impact can be demonstrated, e.g. stealing authentication tokens or XSS\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Unconfirmed reports from automated vulnerability scanners\n- Server and software versions included in HTTP response headers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim \n- Reports related to permitted password strength \n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on physical access to the device or debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include your HackerOne `YOURHANDLE @ wearehackerone.com` registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the whitehat program without notice at any time.\n- Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License. \n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our blog under [Product Updates](https://www.shopify.ca/blog/topics/product-updates) and our Partners Blog under [Shopify News](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-17T14:02:10.635Z"},{"id":3582806,"new_policy":"# Introduction\nShopify's whitehat program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Determine security impacts transparently\n- Award bounties within a week of resolution (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n\n**All valid vulnerabilities will be awarded our minimum amount, $500, on triage with the remainder awarded on resolution.** \n\n# Accounts\nWe encourage security researchers to sign up for a whitehat partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://app.shopify.com/services/partners/signup/whitehat. \n\nYou must use a whitehat partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the whitehat program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts \n\nIn most cases, we will **only** reward the type of vulnerabilities that are listed below. These payouts represent the typical amount awarded per category and we reserve the right to decrease or increase any of them based on our own assessment of impact. Bounty amounts for any vulnerability type not listed below will be determined on a case by case basis at the sole discretion of Shopify.\n\n*Prior bounty amounts awarded are not precedent for future payments.*\n\nType | Shopify Core* | Non-Core**\n--- | --- | ---\nArbitrary code execution | $10,000 - $25,000 | $2,000 - $5,000\nSQL Injection | $10,000 - $20,000 | $2,500 - $5,000\nPrivilege escalation to shop owner | $5,000 - $15,000 | $1,000 - $3,000\nAuthentication bypass - login | $5,000 - $10,000 | $1,000 - $2,000\nAuthentication bypass - app installation | $2,500 - $7,500 | $500 - $1,500\nIDOR / Information Disclosure | $1,000 - $5,000 | $500 - $1,000\nCircumvention of user permission model | $500 - $4,000 | $500 - $1,000\nServer side request forgery | $500 - $4,000 | $500 - $1,000\nCross-site scripting - stored **(with exceptions below)** | $500 - $5,000 | $500 - $1,000\nCross-site scripting - reflected **(with exceptions below)**| $500 - $2,500 | $500\nCross-site scripting - self **(with exceptions below)**| $500 | $500\nCross-site request forgery | $500 - $1,500 | $500\n\n*Self-XSS will be awarded at our sole discretion based on whether it's reasonable to believe a Shopify admin could be tricked into executing the payload (e.g., pasting a code snippet into an applicable text field) not covered in the exclusions below.*\n\n*Core means your Shopify store front and administrative pages at /admin. It does not include Shopify apps or sales channels.*\n\n*Non-core means other in-scope properties not found at YOURSTORE.myshopify.com, including Shopify apps and sales channels, https://apps.shopify.com/collections/made-by-shopify*\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](hackerone.com/googleplay). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](hackerone.com/googleplay).\n\n# Known issues \n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **Insecure cookie handling for account identifying cookies**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Open redirects** - Unless an additional security impact can be demonstrated, e.g. stealing authentication tokens or XSS\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Unconfirmed reports from automated vulnerability scanners\n- Server and software versions included in HTTP response headers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim \n- Reports related to permitted password strength \n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on physical access to the device or debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include `+hackerone` in your registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the whitehat program without notice at any time.\n- Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\n- All content submitted by you to Shopify under this program is licensed under the MIT License. \n- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.\n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nShopify considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Shopify will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Shopify policy.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our blog under [Product Updates](https://www.shopify.ca/blog/topics/product-updates) and our Partners Blog under [Shopify News](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-16T20:06:11.826Z"},{"id":3582460,"new_policy":"# Introduction\nShopify's whitehat program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Determine security impacts transparently\n- Award bounties within a week of resolution (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n\n**All valid vulnerabilities will be awarded our minimum amount, $500, on triage with the remainder awarded on resolution.** \n\n# Accounts\nWe encourage security researchers to sign up for a whitehat partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://app.shopify.com/services/partners/signup/whitehat. \n\nYou must use a whitehat partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE @ wearehackerone.com (e.g. hackerjuan @ wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the whitehat program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts \n\nIn most cases, we will **only** reward the type of vulnerabilities that are listed below. These payouts represent the typical amount awarded per category and we reserve the right to decrease or increase any of them based on our own assessment of impact. Bounty amounts for any vulnerability type not listed below will be determined on a case by case basis at the sole discretion of Shopify.\n\n*Prior bounty amounts awarded are not precedent for future payments.*\n\nType | Shopify Core* | Non-Core**\n--- | --- | ---\nArbitrary code execution | $10,000 - $25,000 | $2,000 - $5,000\nSQL Injection | $10,000 - $20,000 | $2,500 - $5,000\nPrivilege escalation to shop owner | $5,000 - $15,000 | $1,000 - $3,000\nAuthentication bypass - login | $5,000 - $10,000 | $1,000 - $2,000\nAuthentication bypass - app installation | $2,500 - $7,500 | $500 - $1,500\nIDOR / Information Disclosure | $1,000 - $5,000 | $500 - $1,000\nCircumvention of user permission model | $500 - $4,000 | $500 - $1,000\nServer side request forgery | $500 - $4,000 | $500 - $1,000\nCross-site scripting - stored **(with exceptions below)** | $500 - $5,000 | $500 - $1,000\nCross-site scripting - reflected **(with exceptions below)**| $500 - $2,500 | $500\nCross-site scripting - self **(with exceptions below)**| $500 | $500\nCross-site request forgery | $500 - $1,500 | $500\n\n*Self-XSS will be awarded at our sole discretion based on whether it's reasonable to believe a Shopify admin could be tricked into executing the payload (e.g., pasting a code snippet into an applicable text field) not covered in the exclusions below.*\n\n*Core means your Shopify store front and administrative pages at /admin. It does not include Shopify apps or sales channels.*\n\n*Non-core means other in-scope properties not found at YOURSTORE.myshopify.com, including Shopify apps and sales channels, https://apps.shopify.com/collections/made-by-shopify*\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](hackerone.com/googleplay). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](hackerone.com/googleplay).\n\n# Known issues \n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **Insecure cookie handling for account identifying cookies**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Open redirects** - Unless an additional security impact can be demonstrated, e.g. stealing authentication tokens or XSS\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Unconfirmed reports from automated vulnerability scanners\n- Server and software versions included in HTTP response headers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim \n- Reports related to permitted password strength \n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on physical access to the device or debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include `+hackerone` in your registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the whitehat program without notice at any time.\n- Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\nAll content submitted by you to Shopify under this program is licensed under the MIT License. \n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our blog under [Product Updates](https://www.shopify.ca/blog/topics/product-updates) and our Partners Blog under [Shopify News](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-12T19:22:33.319Z"},{"id":3582459,"new_policy":"# Introduction\nShopify's whitehat program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Determine security impacts transparently\n- Award bounties within a week of resolution (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n\n**All valid vulnerabilities will be awarded our minimum amount, $500, on triage with the remainder awarded on resolution.** \n\n# Accounts\nWe encourage security researchers to sign up for a whitehat partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://app.shopify.com/services/partners/signup/whitehat. \n\nYou must use a whitehat partner account to create shops for testing or **use your HackerOne email address, YOURHANDLE@wearehackerone.com (e.g. hackerjuan@wearehackerone.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the whitehat program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts \n\nIn most cases, we will **only** reward the type of vulnerabilities that are listed below. These payouts represent the typical amount awarded per category and we reserve the right to decrease or increase any of them based on our own assessment of impact. Bounty amounts for any vulnerability type not listed below will be determined on a case by case basis at the sole discretion of Shopify.\n\n*Prior bounty amounts awarded are not precedent for future payments.*\n\nType | Shopify Core* | Non-Core**\n--- | --- | ---\nArbitrary code execution | $10,000 - $25,000 | $2,000 - $5,000\nSQL Injection | $10,000 - $20,000 | $2,500 - $5,000\nPrivilege escalation to shop owner | $5,000 - $15,000 | $1,000 - $3,000\nAuthentication bypass - login | $5,000 - $10,000 | $1,000 - $2,000\nAuthentication bypass - app installation | $2,500 - $7,500 | $500 - $1,500\nIDOR / Information Disclosure | $1,000 - $5,000 | $500 - $1,000\nCircumvention of user permission model | $500 - $4,000 | $500 - $1,000\nServer side request forgery | $500 - $4,000 | $500 - $1,000\nCross-site scripting - stored **(with exceptions below)** | $500 - $5,000 | $500 - $1,000\nCross-site scripting - reflected **(with exceptions below)**| $500 - $2,500 | $500\nCross-site scripting - self **(with exceptions below)**| $500 | $500\nCross-site request forgery | $500 - $1,500 | $500\n\n*Self-XSS will be awarded at our sole discretion based on whether it's reasonable to believe a Shopify admin could be tricked into executing the payload (e.g., pasting a code snippet into an applicable text field) not covered in the exclusions below.*\n\n*Core means your Shopify store front and administrative pages at /admin. It does not include Shopify apps or sales channels.*\n\n*Non-core means other in-scope properties not found at YOURSTORE.myshopify.com, including Shopify apps and sales channels, https://apps.shopify.com/collections/made-by-shopify*\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](hackerone.com/googleplay). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](hackerone.com/googleplay).\n\n# Known issues \n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **Insecure cookie handling for account identifying cookies**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Open redirects** - Unless an additional security impact can be demonstrated, e.g. stealing authentication tokens or XSS\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Unconfirmed reports from automated vulnerability scanners\n- Server and software versions included in HTTP response headers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim \n- Reports related to permitted password strength \n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on physical access to the device or debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include `+hackerone` in your registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the whitehat program without notice at any time.\n- Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\nAll content submitted by you to Shopify under this program is licensed under the MIT License. \n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our blog under [Product Updates](https://www.shopify.ca/blog/topics/product-updates) and our Partners Blog under [Shopify News](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-12T19:06:30.204Z"},{"id":3575514,"new_policy":"# Introduction\nShopify's whitehat program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Determine security impacts transparently\n- Award bounties within a week of resolution (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n\n**All valid vulnerabilities will be awarded our minimum amount, $500, on triage with the remainder awarded on resolution.** \n\n# Accounts\nWe encourage security researchers to sign up for a whitehat partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://app.shopify.com/services/partners/signup/whitehat. \n\nYou must use a whitehat partner account to create shops for testing or **add `+hackerone` to your email address, (e.g. john.doe+hackerone@example.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the whitehat program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts \n\nIn most cases, we will **only** reward the type of vulnerabilities that are listed below. These payouts represent the typical amount awarded per category and we reserve the right to decrease or increase any of them based on our own assessment of impact. Bounty amounts for any vulnerability type not listed below will be determined on a case by case basis at the sole discretion of Shopify.\n\n*Prior bounty amounts awarded are not precedent for future payments.*\n\nType | Shopify Core* | Non-Core**\n--- | --- | ---\nArbitrary code execution | $10,000 - $25,000 | $2,000 - $5,000\nSQL Injection | $10,000 - $20,000 | $2,500 - $5,000\nPrivilege escalation to shop owner | $5,000 - $15,000 | $1,000 - $3,000\nAuthentication bypass - login | $5,000 - $10,000 | $1,000 - $2,000\nAuthentication bypass - app installation | $2,500 - $7,500 | $500 - $1,500\nIDOR / Information Disclosure | $1,000 - $5,000 | $500 - $1,000\nCircumvention of user permission model | $500 - $4,000 | $500 - $1,000\nServer side request forgery | $500 - $4,000 | $500 - $1,000\nCross-site scripting - stored **(with exceptions below)** | $500 - $5,000 | $500 - $1,000\nCross-site scripting - reflected **(with exceptions below)**| $500 - $2,500 | $500\nCross-site scripting - self **(with exceptions below)**| $500 | $500\nCross-site request forgery | $500 - $1,500 | $500\n\n*Self-XSS will be awarded at our sole discretion based on whether it's reasonable to believe a Shopify admin could be tricked into executing the payload (e.g., pasting a code snippet into an applicable text field) not covered in the exclusions below.*\n\n*Core means your Shopify store front and administrative pages at /admin. It does not include Shopify apps or sales channels.*\n\n*Non-core means other in-scope properties not found at YOURSTORE.myshopify.com, including Shopify apps and sales channels, https://apps.shopify.com/collections/made-by-shopify*\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](hackerone.com/googleplay). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](hackerone.com/googleplay).\n\n# Known issues \n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **Insecure cookie handling for account identifying cookies**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Open redirects** - Unless an additional security impact can be demonstrated, e.g. stealing authentication tokens or XSS\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Unconfirmed reports from automated vulnerability scanners\n- Server and software versions included in HTTP response headers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim \n- Reports related to permitted password strength \n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on physical access to the device or debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include `+hackerone` in your registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the whitehat program without notice at any time.\n- Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\nAll content submitted by you to Shopify under this program is licensed under the MIT License. \n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n\n#  Product Update News\nFor our newest product updates, keep an eye on our blog under [Product Updates](https://www.shopify.ca/blog/topics/product-updates) and our Partners Blog under [Shopify News](https://www.shopify.ca/partners/blog/topics/shopify-news).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-05-04T15:20:02.060Z"},{"id":3574679,"new_policy":"# Introduction\nShopify's whitehat program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Determine security impacts transparently\n- Award bounties within a week of resolution (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n\n**All valid vulnerabilities will be awarded our minimum amount, $500, on triage with the remainder awarded on resolution.** \n\n# Accounts\nWe encourage security researchers to sign up for a whitehat partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://app.shopify.com/services/partners/signup/whitehat. \n\nYou must use a whitehat partner account to create shops for testing or **add `+hackerone` to your email address, (e.g. john.doe+hackerone@example.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the whitehat program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts \n\nIn most cases, we will **only** reward the type of vulnerabilities that are listed below. These payouts represent the typical amount awarded per category and we reserve the right to decrease or increase any of them based on our own assessment of impact. Bounty amounts for any vulnerability type not listed below will be determined on a case by case basis at the sole discretion of Shopify.\n\n*Prior bounty amounts awarded are not precedent for future payments.*\n\nType | Shopify Core* | Non-Core**\n--- | --- | ---\nArbitrary code execution | $10,000 - $25,000 | $2,000 - $5,000\nSQL Injection | $10,000 - $20,000 | $2,500 - $5,000\nPrivilege escalation to shop owner | $5,000 - $15,000 | $1,000 - $3,000\nAuthentication bypass - login | $5,000 - $10,000 | $1,000 - $2,000\nAuthentication bypass - app installation | $2,500 - $7,500 | $500 - $1,500\nIDOR / Information Disclosure | $1,000 - $5,000 | $500 - $1,000\nCircumvention of user permission model | $500 - $4,000 | $500 - $1,000\nServer side request forgery | $500 - $4,000 | $500 - $1,000\nCross-site scripting - stored **(with exceptions below)** | $500 - $5,000 | $500 - $1,000\nCross-site scripting - reflected **(with exceptions below)**| $500 - $2,500 | $500\nCross-site scripting - self **(with exceptions below)**| $500 | $500\nCross-site request forgery | $500 - $1,500 | $500\n\n*Self-XSS will be awarded at our sole discretion based on whether it's reasonable to believe a Shopify admin could be tricked into executing the payload (e.g., pasting a code snippet into an applicable text field) not covered in the exclusions below.*\n\n*Core means your Shopify store front and administrative pages at /admin. It does not include Shopify apps or sales channels.*\n\n*Non-core means other in-scope properties not found at YOURSTORE.myshopify.com, including Shopify apps and sales channels, https://apps.shopify.com/collections/made-by-shopify*\n\n# Google Play Bonus\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the [Google Play Security Rewards Program](hackerone.com/googleplay). To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](hackerone.com/googleplay).\n\n# Known issues \n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **Insecure cookie handling for account identifying cookies**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Open redirects** - Unless an additional security impact can be demonstrated, e.g. stealing authentication tokens or XSS\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Unconfirmed reports from automated vulnerability scanners\n- Server and software versions included in HTTP response headers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim \n- Reports related to permitted password strength \n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on physical access to the device or debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim, such as *credentials are transmitted in POST body as plain text*\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include `+hackerone` in your registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the whitehat program without notice at any time.\n- Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\nAll content submitted by you to Shopify under this program is licensed under the MIT License. \n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-04-24T17:12:27.191Z"},{"id":3569444,"new_policy":"# Introduction\nShopify's whitehat program is our way to reward security researchers for finding serious security vulnerabilities in the `In Scope` properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly `your-store.myshopify.com/admin`) and certain ancillary applications.\n\nWe look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:\n- Reply to all reports within one business day and triage within two business days (if applicable)\n- Determine security impacts transparently\n- Award bounties within a week of resolution (excluding extenuating circumstances)\n- Only close reports as `N/A` when the issue reported is included in `Known Issues`, `Ineligible Vulnerabilities Types` or lacks evidence of a vulnerability\n\n**All valid vulnerabilities will be awarded our minimum amount, $500, on triage with the remainder awarded on resolution.** \n\n# Accounts\nWe encourage security researchers to sign up for a whitehat partner account, which allows you to create shops and private Shopify apps for testing within the program guidelines, https://app.shopify.com/services/partners/signup/whitehat. \n\nYou must use a whitehat partner account to create shops for testing or **add `+hackerone` to your email address, (e.g. john.doe+hackerone@example.com) so we can properly identify your shop**. Doing so may also give you access to new features on your shop before the feature is fully released.\n\n# Eligibility\nThe scope of the whitehat program is limited to the domains listed at the bottom of this page. **Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward.** For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated. Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.\n\nAll software components that are used within the Shopify application may be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third party libraries that we use (such as Ruby gems). Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack Shopify. Only original reports will be rewarded.\n\nIf you need further clarification of the rules or scope of our bug bounty program, you may email us at bugbounty@shopify.com.\n\n# Typical Bounty Amounts \n\nIn most cases, we will **only** reward the type of vulnerabilities that are listed below. These payouts represent the typical amount awarded per category and we reserve the right to decrease or increase any of them based on our own assessment of impact. Bounty amounts for any vulnerability type not listed below will be determined on a case by case basis at the sole discretion of Shopify.\n\n*Prior bounty amounts awarded are not precedent for future payments.*\n\nType | Shopify Core* | Non-Core**\n--- | --- | ---\nArbitrary code execution | $10,000 - $25,000 | $2,000 - $5,000\nSQL Injection | $10,000 - $20,000 | $2,500 - $5,000\nPrivilege escalation to shop owner | $5,000 - $15,000 | $1,000 - $3,000\nAuthentication bypass - login | $5,000 - $10,000 | $1,000 - $2,000\nAuthentication bypass - app installation | $2,500 - $7,500 | $500 - $1,500\nIDOR / Information Disclosure | $1,000 - $5,000 | $500 - $1,000\nCircumvention of user permission model | $500 - $4,000 | $500 - $1,000\nServer side request forgery | $500 - $4,000 | $500 - $1,000\nCross-site scripting - stored **(with exceptions below)** | $500 - $5,000 | $500 - $1,000\nCross-site scripting - reflected **(with exceptions below)**| $500 - $2,500 | $500\nCross-site scripting - self **(with exceptions below)**| $500 | $500\nCross-site request forgery | $500 - $1,500 | $500\n\n*Self-XSS will be awarded at our sole discretion based on whether it's reasonable to believe a Shopify admin could be tricked into executing the payload (e.g., pasting a code snippet into an applicable text field) not covered in the exclusions below.*\n\n*Core means your Shopify store front and administrative pages at /admin. It does not include Shopify apps or sales channels.*\n\n*Non-core means other in-scope properties not found at YOURSTORE.myshopify.com, including Shopify apps and sales channels, https://apps.shopify.com/collections/made-by-shopify*\n\n# Known issues \n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. These issues will be closed as **Not Applicable**:\n\n- **XSS - Storefront** - Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n- **XSS - iFrames** - Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n- **XSS - Rich Text Editor** - Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n- **XSS - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n- **Arbitrary file upload - Shopify CDN** - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN.\n- **CSRF access to modify cart**\n- **Insecure cookie handling for account identifying cookies**\n- **CSRF for Login or Logout** - Any login / logout CSRF will be ineligible unless it is chained together with another vulnerability to demonstrate impact\n- **Password reset tokens don’t expire when changing email address**\n- **Email address change doesn’t require verification**\n- **Tab nabbing**\n- **Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)**\n- **Insecure “Opening Soon” password**\n- **Reflected XSS that requires full control of an HTTP header, such as `Referer`, `Host`, etc.**\n- **User or store name enumeration**\n- **CSV / formula injection**\n- **Hyperlink injection**\n- **Open redirects** - Unless an additional security impact can be demonstrated, e.g. stealing authentication tokens or XSS\n\n# Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program. These issues will be closed as **Not Applicable**:\n\n- Denial of Service\n- Content spoofing\n- Social Engineering, including phishing\n- Unconfirmed reports from automated vulnerability scanners\n- Server and software versions included in HTTP response headers\n- Generic examples of Host header attacks without evidence of the ability to target a remote victim \n- Reports related to permitted password strength \n- Lack of mobile binary protection, mobile SSL pinning\n- Theoretical sub-domain takeovers with no supporting evidence\n- Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on physical access to the device or debug access being enabled, or that depends on a vulnerability in the operating system\n- Perceived security weaknesses without evidence of the ability to target a remote victim, such as *credentials are transmitted in POST body as plain text*\n- Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers\n- False reports, or reports lacking evidence of a vulnerability\n\n# Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n- You may only test against shops you have created which include `+hackerone` in your registered email address.\n- You must not attempt to gain access to, or interact with, any shops other than those created by you.\n- The use of commercial scanners is prohibited (e.g., Nessus).\n- Rules for reporting must be followed.\n- Do not disclose any issues publicly before they have been resolved.\n- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the whitehat program without notice at any time.\n- Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.\n- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.\n- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.\nAll content submitted by you to Shopify under this program is licensed under the MIT License. \n- Failure to follow any of the foregoing rules will disqualify you from participating in this program.\n\n# Miscellaneous\n\nThis program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Shopify reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.\n\nUpon Shopify’s request, you will execute, acknowledge and delivery such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-02-22T16:00:02.554Z"},{"id":3556373,"new_policy":"# Introduction\nShopify's Whitehat program is our way to reward security researchers for finding serious security vulnerabilities in our core application, Shopify.\n\n# Participation\nWe encourage security researchers to sign up for a whitehat partner account, which you can use to create shops and private Shopify apps to use for testing within the testing guidelines. https://app.shopify.com/services/partners/signup/whitehat\n\nPlease use your Whitehat partner account to create shops for testing or add +hackerone to your email address, (e.g. john.doe+hackerone@shopify.com) so we can properly identify your shop. Researchers using accounts that do not follow this rule will not be eligible for rewards under this program.\n\n# Eligibility\nThe scope of the whitehat program is limited to:\n* **Shopify shops, their admin and their API** - This means your whitehat development shop hosted at [your-shop].myshopify.com\n* **Shopify Mobile** (iOS) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-mobile/id371294472?mt=8)\n* **Shopify Mobile** (Android) - Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.mobile)\n* **Shopify POS** (iOS) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-pos-point-sale-for/id686830644?mt=8)\n* **Shopify POS** (Android) - Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.pos)\n* **Shopify App Store** - https://apps.shopify.com\n* **Shopify Theme Store** - https://themes.shopify.com\n* **Shopify Experts** - https://experts.shopify.com\n* **Kit** - https://www.kitcrm.com/\n* **Partners dashboard** https://partners.shopify.com/\n* **Accounts dashboard** https://accounts.shopify.com/\n\n\nAll software components that are used within the Shopify application can be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third-party libraries that we use (such as Ruby gems). Please note that bugs in third-party components only qualify if you can prove that they can be used to successfully attack Shopify.\n\n**Not in scope:** shopify.asia, go.shopify.com and investors.shopify.com are operated by third parties, and are **not** in scope. Any domain not explicitly listed above is also not in scope.\n\nReports on the following classes of vulnerability are eligible for reward, unless they are excluded (see the next section). In most cases, we will *only* reward the type of vulnerabilities that are listed below.\n\n* Arbitrary code execution\n* SQL injection\n* Privilege escalation to shop owner (from unauthenticated user, customer, or installed app)\n* Authentication bypass for login to [yourshop].myshopify.com/admin\n* Authentication bypass for app installation\n* Circumvention of permission model for apps or admin users\n* Cross-site request forgery\n* Cross-site scripting - **See the next section for limitations.**\n\n**Known issues or previously reported vulnerabilities**\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. Please do not report any of the following issues. In most cases these issues will be closed as **Not Applicable**.\n\n* Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n* Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n* Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n* Arbitrary file upload to the Shopify CDN.\n* Execution of arbitrary scripts on the Shopify CDN - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission to the whitehat program where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n* CSRF access to modify cart\n* Insecure cookie handling for non-sensitive cookies\n* CSRF for Login or Logout\n* Password reset tokens don’t expire when changing email address\n* Email address change doesn’t require verification\n* Tab nabbing\n* Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)\n* Insecure “Opening Soon” password\n* Reflected XSS that requires full control of a http header, such as Referer, Host, etc.\n* User enumeration\n* CSV / formula injection\n* Hyperlink injection\n* Open redirects (except in cases where additional security impact can be demonstrated, e.g. stealing authentication tokens or XSS)\n\n#Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program:\n* Denial of Service\n* Social Engineering, including phishing\n* Content spoofing\n* Vulnerabilities in other Shopify Inc. web sites or applications\n* Failure to implement security best practices such as rate limiting, minimum password strength, and mobile binary protection\n* Some server configuration issues\n* Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on physical access to the device or debug access being enabled, or that depends on a vulnerability in the operating system.\n* Architectural decisions knowingly made by Shopify are not considered as valid submissions to the whitehat program even if there may be a more secure alternative configuration. For example, reporting that www.shopify.com is not using the https protocol will fall in this category. In general, issues that fall in this category will be rejected if we do not plan to implement a fix for them.\n\n#Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n* You may only test against shops you have created\n* You must not attempt to gain access to, or interact with, any shops other than those created by you\n* Rules for reporting must be followed\n* This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists\n* Allow a reasonable amount of time for Shopify to respond to your vulnerability report before publishing details of your exploit\n* Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the Whitehat program without notice at any time.\n* Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n\n#Reward Level\nThe rewards for the Shopify whitehat program start at $500 and will escalate based on severity.  \n\n#Indemnification\nShopify will not pursue legal action against security researchers who follow the guidelines outlined in this document and responsibly disclose vulnerabilities to us.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-06-26T15:29:27.658Z"},{"id":3554922,"new_policy":"# Introduction\nShopify's Whitehat program is our way to reward security researchers for finding serious security vulnerabilities in our core application, Shopify.\n\n# Participation\nWe encourage security researchers to sign up for a whitehat partner account, which you can use to create shops and private Shopify apps to use for testing within the testing guidelines. https://app.shopify.com/services/partners/signup/whitehat\n\nPlease use your Whitehat partner account to create shops for testing or add +hackerone to your email address, (e.g. john.doe+hackerone@shopify.com) so we can properly identify your shop. Researchers using accounts that do not follow this rule will not be eligible for rewards under this program.\n\n# Eligibility\nThe scope of the whitehat program is limited to:\n* **Shopify shops, their admin and their API** - This means your whitehat development shop hosted at [your-shop].myshopify.com\n* **Shopify Mobile** (iOS) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-mobile/id371294472?mt=8)\n* **Shopify Mobile** (Android) - Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.mobile)\n* **Shopify POS** (iOS) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-pos-point-sale-for/id686830644?mt=8)\n* **Shopify POS** (Android) - Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.pos)\n* **Shopify App Store** - https://apps.shopify.com\n* **Shopify Theme Store** - https://themes.shopify.com\n* **Shopify Experts** - https://experts.shopify.com\n* **Kit** - https://www.kitcrm.com/\n* **Partners dashboard** https://partners.shopify.com/\n* **Accounts dashboard** https://accounts.shopify.com/\n\n\nAll software components that are used within the Shopify application can be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third-party libraries that we use (such as Ruby gems). Please note that bugs in third-party components only qualify if you can prove that they can be used to successfully attack Shopify.\n\n**Not in scope:** shopify.asia, go.shopify.com and investors.shopify.com are operated by third parties, and are **not** in scope. Any domain not explicitly listed above is also not in scope.\n\nReports on the following classes of vulnerability are eligible for reward, unless they are excluded (see the next section). In most cases, we will *only* reward the type of vulnerabilities that are listed below.\n\n* Arbitrary code execution\n* SQL injection\n* Privilege escalation to shop owner (from unauthenticated user, customer, or installed app)\n* Authentication bypass for login to [yourshop].myshopify.com/admin\n* Authentication bypass for app installation\n* Circumvention of permission model for apps or admin users\n* Cross-site request forgery\n* Cross-site scripting - **See the next section for limitations.**\n\n**Known issues or previously reported vulnerabilities**\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. Please do not report any of the following issues. In most cases these issues will be closed as **Not Applicable**.\n\n* Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n* Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n* Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n* Arbitrary file upload to the Shopify CDN.\n* Execution of arbitrary scripts on the Shopify CDN - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission to the whitehat program where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n* CSRF access to modify cart\n* Insecure cookie handling for non-sensitive cookies\n* CSRF for Login or Logout\n* Password reset tokens don’t expire when changing email address\n* Email address change doesn’t require verification\n* Tab nabbing\n* Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)\n* Insecure “Opening Soon” password\n* Reflected XSS that requires full control of a http header, such as Referer, Host, etc.\n* User enumeration\n* CSV / formula injection\n* Hyperlink injection\n\n#Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program:\n* Denial of Service\n* Social Engineering, including phishing\n* Content spoofing\n* Vulnerabilities in other Shopify Inc. web sites or applications\n* Failure to implement security best practices such as rate limiting, minimum password strength, and mobile binary protection\n* Some server configuration issues\n* Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on physical access to the device or debug access being enabled, or that depends on a vulnerability in the operating system.\n* Architectural decisions knowingly made by Shopify are not considered as valid submissions to the whitehat program even if there may be a more secure alternative configuration. For example, reporting that www.shopify.com is not using the https protocol will fall in this category. In general, issues that fall in this category will be rejected if we do not plan to implement a fix for them.\n\n#Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n* You may only test against shops you have created\n* You must not attempt to gain access to, or interact with, any shops other than those created by you\n* Rules for reporting must be followed\n* This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists\n* Allow a reasonable amount of time for Shopify to respond to your vulnerability report before publishing details of your exploit\n* Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the Whitehat program without notice at any time.\n* Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.\n\n#Reward Level\nThe rewards for the Shopify whitehat program start at $500 and will escalate based on severity.  \n\n#Indemnification\nShopify will not pursue legal action against security researchers who follow the guidelines outlined in this document and responsibly disclose vulnerabilities to us.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-06-02T19:46:04.602Z"},{"id":3554224,"new_policy":"# Introduction\nShopify's Whitehat program is our way to reward security researchers for finding serious security vulnerabilities in our core application, Shopify.\n\n# Participation\nWe encourage security researchers to sign up for a whitehat partner account, which you can use to create shops and private Shopify apps to use for testing within the testing guidelines. https://app.shopify.com/services/partners/signup/whitehat\n\nPlease use your Whitehat partner account to create shops for testing or add +hackerone to your email address, (e.g. john.doe+hackerone@shopify.com) so we can properly identify your shop. Researchers using accounts that do not follow this rule will not be eligible for rewards under this program.\n\n# Eligibility\nThe scope of the whitehat program is limited to:\n* **Shopify shops, their admin and their API** - This means your whitehat development shop hosted at [your-shop].myshopify.com\n* **Shopify Mobile** (iOS) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-mobile/id371294472?mt=8)\n* **Shopify Mobile** (Android) - Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.mobile)\n* **Shopify POS** (iOS) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-pos-point-sale-for/id686830644?mt=8)\n* **Shopify POS** (Android) - Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.pos)\n* **Shopify App Store** - https://apps.shopify.com\n* **Shopify Theme Store** - https://themes.shopify.com\n* **Shopify Experts** - https://experts.shopify.com\n* **Kit** - https://www.kitcrm.com/\n* **Partners dashboard** https://partners.shopify.com/\n* **Accounts dashboard** https://accounts.shopify.com/\n\n\nAll software components that are used within the Shopify application can be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third-party libraries that we use (such as Ruby gems). Please note that bugs in third-party components only qualify if you can prove that they can be used to successfully attack Shopify.\n\n**Not in scope:** shopify.asia, go.shopify.com and investors.shopify.com are operated by third parties, and are **not** in scope. Any domain not explicitly listed above is also not in scope.\n\nReports on the following classes of vulnerability are eligible for reward, unless they are excluded (see the next section). In most cases, we will *only* reward the type of vulnerabilities that are listed below.\n\n* Arbitrary code execution\n* SQL injection\n* Privilege escalation to shop owner (from unauthenticated user, customer, or installed app)\n* Authentication bypass for login to [yourshop].myshopify.com/admin\n* Authentication bypass for app installation\n* Circumvention of permission model for apps or admin users\n* Cross-site request forgery\n* Cross-site scripting - **See the next section for limitations.**\n\n**Known issues or previously reported vulnerabilities**\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. Please do not report any of the following issues. In most cases these issues will be closed as **Not Applicable**.\n\n* Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n* Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n* Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n* Arbitrary file upload to the Shopify CDN.\n* Execution of arbitrary scripts on the Shopify CDN - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission to the whitehat program where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n* CSRF access to modify cart\n* Insecure cookie handling for non-sensitive cookies\n* CSRF for Login or Logout\n* Password reset tokens don’t expire when changing email address\n* Email address change doesn’t require verification\n* Tab nabbing\n* Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)\n* Insecure “Opening Soon” password\n* Reflected XSS that requires full control of a http header, such as Referer, Host, etc.\n* User enumeration\n* CSV / formula injection\n* Hyperlink injection\n\n#Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program:\n* Denial of Service\n* Social Engineering, including phishing\n* Content spoofing\n* Vulnerabilities in other Shopify Inc. web sites or applications\n* Failure to implement security best practices such as rate limiting, minimum password strength, and mobile binary protection\n* Some server configuration issues\n* Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on physical access to the device or debug access being enabled, or that depends on a vulnerability in the operating system.\n* Architectural decisions knowingly made by Shopify are not considered as valid submissions to the whitehat program even if there may be a more secure alternative configuration. For example, reporting that www.shopify.com is not using the https protocol will fall in this category. In general, issues that fall in this category will be rejected if we do not plan to implement a fix for them.\n\n#Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n* You may only test against shops you have created\n* You must not attempt to gain access to, or interact with, any shops other than those created by you\n* Rules for reporting must be followed\n* This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists\n* Allow a reasonable amount of time for Shopify to respond to your vulnerability report before publishing details of your exploit\n* Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the Whitehat program without notice at any time.\n\n#Reward Level\nThe rewards for the Shopify whitehat program start at $500 and will escalate based on severity.  \n\n#Indemnification\nShopify will not pursue legal action against security researchers who follow the guidelines outlined in this document and responsibly disclose vulnerabilities to us.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-05-23T20:50:37.097Z"},{"id":3548436,"new_policy":"# Introduction\nShopify's Whitehat program is our way to reward security researchers for finding serious security vulnerabilities in our core application, Shopify.\n\n# Participation\nWe encourage security researchers to sign up for a whitehat partner account, which you can use to create shops and private Shopify apps to use for testing within the testing guidelines. https://app.shopify.com/services/partners/signup/whitehat\n\nPlease use your Whitehat partner account to create shops for testing or add +hackerone to your email address, (e.g. john.doe+hackerone@shopify.com) so we can properly identify your shop. Researchers using accounts that do not follow this rule will not be eligible for rewards under this program.\n\n# Eligibility\nThe scope of the whitehat program is limited to:\n* **Shopify shops, their admin and their API** - This means your whitehat development shop hosted at [your-shop].myshopify.com\n\nAll software components that are used within the Shopify application can be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third-party libraries that we use (such as Ruby gems). Please note that bugs in third-party components only qualify if you can prove that they can be used to successfully attack Shopify.\n* **Shopify Mobile** (iOS) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-mobile/id371294472?mt=8)\n* **Shopify Mobile** (Android) - Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.mobile)\n* **Shopify POS** (iOS) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-pos-point-sale-for/id686830644?mt=8)\n* **Shopify POS** (Android) - Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.pos)\n* **Shopify App Store** - https://apps.shopify.com\n* **Shopify Theme Store** - https://themes.shopify.com\n* **Shopify Experts** - https://experts.shopify.com\n* **Kit** - https://www.kitcrm.com/\n\n**Not in scope:** shopify.asia, go.shopify.com and investors.shopify.com are operated by third parties, and are **not** in scope. Any domain not explicitly listed above is also not in scope.\n\nReports on the following classes of vulnerability are eligible for reward, unless they are excluded (see the next section). In most cases, we will *only* reward the type of vulnerabilities that are listed below.\n\n* Arbitrary code execution\n* SQL injection\n* Privilege escalation to shop owner (from unauthenticated user, customer, or installed app)\n* Authentication bypass for login to [yourshop].myshopify.com/admin\n* Authentication bypass for app installation\n* Circumvention of permission model for apps or admin users\n* Cross-site request forgery\n* Cross-site scripting - **See the next section for limitations.**\n\n**Known issues or previously reported vulnerabilities**\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. Please do not report any of the following issues. In most cases these issues will be closed as **Not Applicable**.\n\n* Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n* Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n* Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n* Arbitrary file upload to the Shopify CDN.\n* Execution of arbitrary scripts on the Shopify CDN - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission to the whitehat program where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n* CSRF access to modify cart\n* Insecure cookie handling for non-sensitive cookies\n* CSRF for Login or Logout\n* Password reset tokens don’t expire when changing email address\n* Email address change doesn’t require verification\n* Tab nabbing\n* Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)\n* Insecure “Opening Soon” password\n* Reflected XSS that requires full control of a http header, such as Referer, Host, etc.\n* User enumeration\n* CSV / formula injection\n* Hyperlink injection\n\n#Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program:\n* Denial of Service\n* Social Engineering, including phishing\n* Content spoofing\n* Vulnerabilities in other Shopify Inc. web sites or applications\n* Failure to implement security best practices such as rate limiting, minimum password strength, and mobile binary protection\n* Some server configuration issues\n* Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on physical access to the device or debug access being enabled, or that depends on a vulnerability in the operating system.\n* Architectural decisions knowingly made by Shopify are not considered as valid submissions to the whitehat program even if there may be a more secure alternative configuration. For example, reporting that www.shopify.com is not using the https protocol will fall in this category. In general, issues that fall in this category will be rejected if we do not plan to implement a fix for them.\n\n#Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n* You may only test against shops you have created\n* You must not attempt to gain access to, or interact with, any shops other than those created by you\n* Rules for reporting must be followed\n* This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists\n* Allow a reasonable amount of time for Shopify to respond to your vulnerability report before publishing details of your exploit\n* Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the Whitehat program without notice at any time.\n\n#Reward Level\nThe rewards for the Shopify whitehat program start at $500 and will escalate based on severity.  \n\n#Indemnification\nShopify will not pursue legal action against security researchers who follow the guidelines outlined in this document and responsibly disclose vulnerabilities to us.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-03-07T20:29:25.231Z"},{"id":3540466,"new_policy":"# Introduction\nShopify's Whitehat program is our way to reward security researchers for finding serious security vulnerabilities in our core application, Shopify.\n\n# Participation\nWe encourage security researchers to sign up for a whitehat partner account, which you can use to create shops and private Shopify apps to use for testing within the testing guidelines. https://app.shopify.com/services/partners/signup/whitehat\n\nPlease use your Whitehat partner account to create shops for testing or add +hackerone to your email address, (e.g. john.doe+hackerone@shopify.com) so we can properly identify your shop. Researchers using accounts that do not follow this rule will not be eligible for rewards under this program.\n\n# Eligibility\nThe scope of the whitehat program is limited to:\n* **Shopify shops, their admin and their API** - This means your whitehat development shop hosted at [your-shop].myshopify.com\n\nAll software components that are used within the Shopify application can be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third-party libraries that we use (such as Ruby gems). Please note that bugs in third-party components only qualify if you can prove that they can be used to successfully attack Shopify.\n* **Shopify Mobile** (iOS) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-mobile/id371294472?mt=8)\n* **Shopify Mobile** (Android) - Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.mobile)\n* **Shopify POS** (iOS) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-pos-point-sale-for/id686830644?mt=8)\n* **Shopify POS** (Android) - Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.pos)\n* **Shopify App Store** - https://apps.shopify.com\n* **Shopify Theme Store** - https://themes.shopify.com\n* **Shopify Experts** - https://experts.shopify.com\n\n**Not in scope:** shopify.asia, go.shopify.com and investors.shopify.com are operated by third parties, and are **not** in scope. Any domain not explicitly listed above is also not in scope.\n\nReports on the following classes of vulnerability are eligible for reward, unless they are excluded (see the next section). In most cases, we will *only* reward the type of vulnerabilities that are listed below.\n\n* Arbitrary code execution\n* SQL injection\n* Privilege escalation to shop owner (from unauthenticated user, customer, or installed app)\n* Authentication bypass for login to [yourshop].myshopify.com/admin\n* Authentication bypass for app installation\n* Circumvention of permission model for apps or admin users\n* Cross-site request forgery\n* Cross-site scripting - **See the next section for limitations.**\n\n**Known issues or previously reported vulnerabilities**\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. Please do not report any of the following issues. In most cases these issues will be closed as **Not Applicable**.\n\n* Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n* Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n* Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n* Arbitrary file upload to the Shopify CDN.\n* Execution of arbitrary scripts on the Shopify CDN - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission to the whitehat program where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n* CSRF access to modify cart\n* Insecure cookie handling for non-sensitive cookies\n* CSRF for Login or Logout\n* Password reset tokens don’t expire when changing email address\n* Email address change doesn’t require verification\n* Tab nabbing\n* Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)\n* Insecure “Opening Soon” password\n* Reflected XSS that requires full control of a http header, such as Referer, Host, etc.\n* User enumeration\n* CSV / formula injection\n* Hyperlink injection\n\n#Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program:\n* Denial of Service\n* Social Engineering, including phishing\n* Content spoofing\n* Vulnerabilities in other Shopify Inc. web sites or applications\n* Failure to implement security best practices such as rate limiting, minimum password strength, and mobile binary protection\n* Some server configuration issues\n* Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on physical access to the device or debug access being enabled, or that depends on a vulnerability in the operating system.\n* Architectural decisions knowingly made by Shopify are not considered as valid submissions to the whitehat program even if there may be a more secure alternative configuration. For example, reporting that www.shopify.com is not using the https protocol will fall in this category. In general, issues that fall in this category will be rejected if we do not plan to implement a fix for them.\n\n#Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n* You may only test against shops you have created\n* You must not attempt to gain access to, or interact with, any shops other than those created by you\n* Rules for reporting must be followed\n* This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists\n* Allow a reasonable amount of time for Shopify to respond to your vulnerability report before publishing details of your exploit\n* Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the Whitehat program without notice at any time.\n\n#Reward Level\nThe rewards for the Shopify whitehat program start at $500 and will escalate based on severity.  \n\n#Indemnification\nShopify will not pursue legal action against security researchers who follow the guidelines outlined in this document and responsibly disclose vulnerabilities to us.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-10-18T13:08:17.033Z"},{"id":3538682,"new_policy":"# Introduction\nShopify's Whitehat program is our way to reward security researchers for finding serious security vulnerabilities in our core application, Shopify.\n\n# Participation\nWe encourage security researchers to sign up for a whitehat partner account, which you can use to create shops and private Shopify apps to use for testing within the testing guidelines. https://app.shopify.com/services/partners/signup/whitehat\n\nPlease use your Whitehat partner account to create shops for testing or add +hackerone to your email address, (e.g. john.doe+hackerone@shopify.com) so we can properly identify your shop. Researchers using accounts that do not follow this rule will not be eligible for rewards under this program.\n\n# Eligibility\nThe scope of the whitehat program is limited to:\n* **Shopify shops, their admin and their API** - This means your whitehat development shop hosted at [your-shop].myshopify.com\n\nAll software components that are used within the Shopify application can be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third-party libraries that we use (such as Ruby gems). Please note that bugs in third-party components only qualify if you can prove that they can be used to successfully attack Shopify.\n* **Shopify Mobile** (iOS) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-mobile/id371294472?mt=8)\n* **Shopify Mobile** (Android) - Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.mobile)\n* **Shopify POS** (iOS) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-pos-point-sale-for/id686830644?mt=8)\n* **Shopify POS** (Android) - Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.pos)\n* **Shopify App Store** - https://apps.shopify.com\n* **Shopify Theme Store** - https://themes.shopify.com\n* **Shopify Experts** - https://experts.shopify.com\n\n**Not in scope:** shopify.asia, go.shopify.com and investors.shopify.com are operated by third parties, and are **not** in scope. Any domain not explicitly listed above is also not in scope.\n\nReports on the following classes of vulnerability are eligible for reward, unless they are excluded (see the next section). In most cases, we will *only* reward the type of vulnerabilities that are listed below.\n\n* Arbitrary code execution\n* SQL injection\n* Privilege escalation to shop owner (from unauthenticated user, customer, or installed app)\n* Authentication bypass for login to [yourshop].myshopify.com/admin\n* Authentication bypass for app installation\n* Circumvention of permission model for apps or admin users\n* Cross-site request forgery\n* Cross-site scripting - **See the next section for limitations.**\n\n**Known issues or previously reported vulnerabilities**\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. Please do not report any of the following issues. In most cases these issues will be closed as **Not Applicable**.\n\n* Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n* Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n* Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n* Arbitrary file upload to the Shopify CDN.\n* Execution of arbitrary scripts on the Shopify CDN - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission to the whitehat program where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n* CSRF access to modify cart\n* Insecure cookie handling for non-sensitive cookies\n* CSRF for Login or Logout\n* Password reset tokens don’t expire when changing email address\n* Email address change doesn’t require verification\n* Tab nabbing\n* Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)\n* Insecure “Opening Soon” password\n* Reflected XSS that requires full control of a http header, such as Referer, Host, etc.\n* User enumeration\n* CSV / formula injection\n\n#Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program:\n* Denial of Service\n* Social Engineering, including phishing\n* Content spoofing\n* Vulnerabilities in other Shopify Inc. web sites or applications\n* Failure to implement security best practices such as rate limiting, minimum password strength, and mobile binary protection\n* Some server configuration issues\n* Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on physical access to the device or debug access being enabled, or that depends on a vulnerability in the operating system.\n* Architectural decisions knowingly made by Shopify are not considered as valid submissions to the whitehat program even if there may be a more secure alternative configuration. For example, reporting that www.shopify.com is not using the https protocol will fall in this category. In general, issues that fall in this category will be rejected if we do not plan to implement a fix for them.\n\n#Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n* You may only test against shops you have created\n* You must not attempt to gain access to, or interact with, any shops other than those created by you\n* Rules for reporting must be followed\n* This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists\n* Allow a reasonable amount of time for Shopify to respond to your vulnerability report before publishing details of your exploit\n* Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the Whitehat program without notice at any time.\n\n#Reward Level\nThe rewards for the Shopify whitehat program start at $500 and will escalate based on severity.  \n\n#Indemnification\nShopify will not pursue legal action against security researchers who follow the guidelines outlined in this document and responsibly disclose vulnerabilities to us.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-09-08T16:34:44.120Z"},{"id":3096962,"new_policy":"# Introduction\nShopify's Whitehat program is our way to reward security researchers for finding serious security vulnerabilities in our core application, Shopify.\n\n# Participation\nWe encourage security researchers to sign up for a whitehat partner account, which you can use to create shops and private Shopify apps to use for testing within the testing guidelines. https://app.shopify.com/services/partners/signup/whitehat\n\nPlease use your Whitehat partner account to create shops for testing or add +hackerone to your email address, (e.g. john.doe+hackerone@shopify.com) so we can properly identify your shop. Researchers using accounts that do not follow this rule will not be eligible for rewards under this program.\n\n# Eligibility\nThe scope of the whitehat program is limited to:\n* **Shopify shops, their admin and their API** - This means your whitehat development shop hosted at [your-shop].myshopify.com\n\nAll software components that are used within the Shopify application can be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third-party libraries that we use (such as Ruby gems). Please note that bugs in third-party components only qualify if you can prove that they can be used to successfully attack Shopify.\n* **Shopify Mobile** (iOS) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-mobile/id371294472?mt=8)\n* **Shopify Mobile** (Android) - Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.mobile)\n* **Shopify POS** (iOS) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-pos-point-sale-for/id686830644?mt=8)\n* **Shopify POS** (Android) - Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.pos)\n* **Shopify App Store** - https://apps.shopify.com\n* **Shopify Theme Store** - https://themes.shopify.com\n* **Shopify Experts** - https://experts.shopify.com\n\n**Not in scope:** shopify.asia, domains.shopify.com, go.shopify.com and investors.shopify.com are operated by third parties, and are **not** in scope. Any domain not explicitly listed above is also not in scope.\n\nReports on the following classes of vulnerability are eligible for reward, unless they are excluded (see the next section). In most cases, we will *only* reward the type of vulnerabilities that are listed below.\n\n* Arbitrary code execution\n* SQL injection\n* Privilege escalation to shop owner (from unauthenticated user, customer, or installed app)\n* Authentication bypass for login to [yourshop].myshopify.com/admin\n* Authentication bypass for app installation\n* Circumvention of permission model for apps or admin users\n* Cross-site request forgery\n* Cross-site scripting - **See the next section for limitations.**\n\n**Known issues or previously reported vulnerabilities**\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. Please do not report any of the following issues. In most cases these issues will be closed as **Not Applicable**.\n\n* Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n* Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n* Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n* Arbitrary file upload to the Shopify CDN.\n* Execution of arbitrary scripts on the Shopify CDN - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission to the whitehat program where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n* CSRF access to modify cart\n* Insecure cookie handling for non-sensitive cookies\n* CSRF for Login or Logout\n* Password reset tokens don’t expire when changing email address\n* Email address change doesn’t require verification\n* Tab nabbing\n* Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)\n* Insecure “Opening Soon” password\n* Reflected XSS that requires full control of a http header, such as Referer, Host, etc.\n* User enumeration\n* CSV / formula injection\n\n#Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program:\n* Denial of Service\n* Social Engineering, including phishing\n* Content spoofing\n* Vulnerabilities in other Shopify Inc. web sites or applications\n* Failure to implement security best practices such as rate limiting, minimum password strength, and mobile binary protection\n* Some server configuration issues\n* Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on physical access to the device or debug access being enabled, or that depends on a vulnerability in the operating system.\n* Architectural decisions knowingly made by Shopify are not considered as valid submissions to the whitehat program even if there may be a more secure alternative configuration. For example, reporting that www.shopify.com is not using the https protocol will fall in this category. In general, issues that fall in this category will be rejected if we do not plan to implement a fix for them.\n\n#Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n* You may only test against shops you have created\n* You must not attempt to gain access to, or interact with, any shops other than those created by you\n* Rules for reporting must be followed\n* This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists\n* Allow a reasonable amount of time for Shopify to respond to your vulnerability report before publishing details of your exploit\n* Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the Whitehat program without notice at any time.\n\n#Reward Level\nThe rewards for the Shopify whitehat program start at $500 and will escalate based on severity.  \n\n#Indemnification\nShopify will not pursue legal action against security researchers who follow the guidelines outlined in this document and responsibly disclose vulnerabilities to us.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-07-20T13:47:15.070Z"},{"id":2948245,"new_policy":"# Introduction\nShopify's Whitehat program is our way to reward security researchers for finding serious security vulnerabilities in our core application, Shopify.\n\n# Participation\nWe encourage security researchers to sign up for a whitehat partner account, which you can use to create shops and private Shopify apps to use for testing within the testing guidelines. https://app.shopify.com/services/partners/signup/whitehat\n\nPlease use your Whitehat partner account to create shops for testing or add +hackerone to your email address, (e.g. john.doe+hackerone@shopify.com) so we can properly identify your shop. Researchers using accounts that do not follow this rule will not be eligible for rewards under this program.\n\n# Eligibility\nThe scope of the whitehat program is limited to:\n* **Shopify shops, their admin and their API** - This means your whitehat development shop hosted at [your-shop].myshopify.com\n\nAll software components that are used within the Shopify application can be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third-party libraries that we use (such as Ruby gems). Please note that bugs in third-party components only qualify if you can prove that they can be used to successfully attack Shopify.\n* **Shopify Mobile** (iOS) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-mobile/id371294472?mt=8)\n* **Shopify Mobile** (Android) - Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.mobile)\n* **Shopify POS** (iOS) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-pos-point-sale-for/id686830644?mt=8)\n* **Shopify POS** (Android) - Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.pos)\n* **Shopify App Store** - https://apps.shopify.com\n* **Shopify Theme Store** - https://themes.shopify.com\n* **Shopify Experts** - https://experts.shopify.com\n\n**Not in scope:** shopify.asia, go.shopify.com and investors.shopify.com are operated by third parties, and are **not** in scope. Any domain not explicitly listed above is also not in scope.\n\nReports on the following classes of vulnerability are eligible for reward, unless they are excluded (see the next section). In most cases, we will *only* reward the type of vulnerabilities that are listed below.\n\n* Arbitrary code execution\n* SQL injection\n* Privilege escalation to shop owner (from unauthenticated user, customer, or installed app)\n* Authentication bypass for login to [yourshop].myshopify.com/admin\n* Authentication bypass for app installation\n* Circumvention of permission model for apps or admin users\n* Cross-site request forgery\n* Cross-site scripting - **See the next section for limitations.**\n\n**Known issues or previously reported vulnerabilities**\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. Please do not report any of the following issues. In most cases these issues will be closed as **Not Applicable**.\n\n* Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n* Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n* Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n* Arbitrary file upload to the Shopify CDN.\n* Execution of arbitrary scripts on the Shopify CDN - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission to the whitehat program where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n* CSRF access to modify cart\n* Insecure cookie handling for non-sensitive cookies\n* CSRF for Login or Logout\n* Password reset tokens don’t expire when changing email address\n* Email address change doesn’t require verification\n* Tab nabbing\n* Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)\n* Insecure “Opening Soon” password\n* Reflected XSS that requires full control of a http header, such as Referer, Host, etc.\n* User enumeration\n* CSV / formula injection\n\n#Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program:\n* Denial of Service\n* Social Engineering, including phishing\n* Content spoofing\n* Vulnerabilities in other Shopify Inc. web sites or applications\n* Failure to implement security best practices such as rate limiting, minimum password strength, and mobile binary protection\n* Some server configuration issues\n* Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on physical access to the device or debug access being enabled, or that depends on a vulnerability in the operating system.\n* Architectural decisions knowingly made by Shopify are not considered as valid submissions to the whitehat program even if there may be a more secure alternative configuration. For example, reporting that www.shopify.com is not using the https protocol will fall in this category. In general, issues that fall in this category will be rejected if we do not plan to implement a fix for them.\n\n#Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n* You may only test against shops you have created\n* You must not attempt to gain access to, or interact with, any shops other than those created by you\n* Rules for reporting must be followed\n* This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists\n* Allow a reasonable amount of time for Shopify to respond to your vulnerability report before publishing details of your exploit\n* Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the Whitehat program without notice at any time.\n\n#Reward Level\nThe rewards for the Shopify whitehat program start at $500 and will escalate based on severity.  \n\n#Indemnification\nShopify will not pursue legal action against security researchers who follow the guidelines outlined in this document and responsibly disclose vulnerabilities to us.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-06-22T13:04:21.201Z"},{"id":2499352,"new_policy":"# Introduction\nShopify's Whitehat program is our way to reward security researchers for finding serious security vulnerabilities in our core application, Shopify.\n\n# Participation\nWe encourage security researchers to sign up for a whitehat partner account, which you can use to create shops and private Shopify apps to use for testing within the testing guidelines. https://app.shopify.com/services/partners/signup/whitehat\n\nPlease use your Whitehat partner account to create shops for testing or add +hackerone to your email address, (e.g. john.doe+hackerone@shopify.com) so we can properly identify your shop. Researchers using accounts that do not follow this rule will not be eligible for rewards under this program.\n\n# Eligibility\nThe scope of the whitehat program is limited to:\n* **Shopify shops, their admin and their API** - This means your whitehat development shop hosted at [your-shop].myshopify.com\n\nAll software components that are used within the Shopify application can be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third-party libraries that we use (such as Ruby gems). Please note that bugs in third-party components only qualify if you can prove that they can be used to successfully attack Shopify.\n* **Shopify Mobile** (iOS) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-mobile/id371294472?mt=8)\n* **Shopify Mobile** (Android) - Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.mobile)\n* **Shopify POS** (iOS) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-pos-point-sale-for/id686830644?mt=8)\n* **Shopify POS** (Android) - Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.pos)\n* **Shopify App Store** - https://apps.shopify.com\n* **Shopify Theme Store** - https://themes.shopify.com\n* **Shopify Experts** - https://experts.shopify.com\n\n**Not in scope:** shopify.asia, go.shopify.com and investors.shopify.com are operated by third parties, and are **not** in scope. Any domain not explicitly listed above is also not in scope.\n\nReports on the following classes of vulnerability are eligible for reward, unless they are excluded (see the next section). In most cases, we will *only* reward the type of vulnerabilities that are listed below.\n\n* Arbitrary code execution\n* SQL injection\n* Privilege escalation to shop owner (from unauthenticated user, customer, or installed app)\n* Authentication bypass for login to [yourshop].myshopify.com/admin\n* Authentication bypass for app installation\n* Circumvention of permission model for apps or admin users\n* Cross-site request forgery\n* Cross-site scripting - **See the next section for limitations.**\n\n**Known issues or previously reported vulnerabilities**\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. Please do not report any of the following issues. In most cases these issues will be closed as **Not Applicable**.\n\n* Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n* Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n* Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n* Arbitrary file upload to the Shopify CDN.\n* Execution of arbitrary scripts on the Shopify CDN - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission to the whitehat program where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n* CSRF access to modify cart\n* Insecure cookie handling for non-sensitive cookies\n* CSRF for Login or Logout\n* Password reset tokens don’t expire when changing email address\n* Email address change doesn’t require verification\n* Tab nabbing\n* Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)\n* Insecure “Opening Soon” password\n* Reflected XSS that requires full control of a http header, such as Referer, Host, etc.\n* User enumeration\n* CSV / formula injection\n\n#Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program:\n* Denial of Service\n* Social Engineering, including phishing\n* Vulnerabilities in other Shopify Inc. web sites or applications\n* Failure to implement security best practices such as rate limiting, minimum password strength, and mobile binary protection\n* Some server configuration issues\n* Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on physical access to the device or debug access being enabled, or that depends on a vulnerability in the operating system.\n* Architectural decisions knowingly made by Shopify are not considered as valid submissions to the whitehat program even if there may be a more secure alternative configuration. For example, reporting that www.shopify.com is not using the https protocol will fall in this category. In general, issues that fall in this category will be rejected if we do not plan to implement a fix for them.\n\n#Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n* You may only test against shops you have created\n* You must not attempt to gain access to, or interact with, any shops other than those created by you\n* Rules for reporting must be followed\n* This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists\n* Allow a reasonable amount of time for Shopify to respond to your vulnerability report before publishing details of your exploit\n* Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the Whitehat program without notice at any time.\n\n#Reward Level\nThe rewards for the Shopify whitehat program start at $500 and will escalate based on severity.  \n\n#Indemnification\nShopify will not pursue legal action against security researchers who follow the guidelines outlined in this document and responsibly disclose vulnerabilities to us.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-04-15T13:48:57.778Z"},{"id":2176387,"new_policy":"# Introduction\nShopify's Whitehat program is our way to reward security researchers for finding serious security vulnerabilities in our core application, Shopify.\n\n# Participation\nWe encourage security researchers to sign up for a whitehat partner account, which you can use to create shops and private Shopify apps to use for testing within the testing guidelines. https://app.shopify.com/services/partners/signup/whitehat\n\nPlease use your Whitehat partner account to create shops for testing or add +hackerone to your email address, (e.g. john.doe+hackerone@shopify.com) so we can properly identify your shop. Researchers using accounts that do not follow this rule will not be eligible for rewards under this program.\n\n# Eligibility\nThe scope of the whitehat program is limited to:\n* **Shopify shops, their admin and their API** - This means your whitehat development shop hosted at [your-shop].myshopify.com\n\nAll software components that are used within the Shopify application can be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third-party libraries that we use (such as Ruby gems). Please note that bugs in third-party components only qualify if you can prove that they can be used to successfully attack Shopify.\n* **Shopify Mobile** (iOS) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-mobile/id371294472?mt=8)\n* **Shopify Mobile** (Android) - Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.mobile)\n* **Shopify POS** (iOS) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-pos-point-sale-for/id686830644?mt=8)\n* **Shopify POS** (Android) - Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.pos)\n* **Shopify App Store** - https://apps.shopify.com\n* **Shopify Theme Store** - https://themes.shopify.com\n* **Shopify Experts** - https://experts.shopify.com\n\n**Not in scope:** shopify.asia, go.shopify.com and investors.shopify.com are operated by third parties, and are **not** in scope. Any domain not explicitly listed above is also not in scope.\n\nReports on the following classes of vulnerability are eligible for reward, unless they are excluded (see the next section). In most cases, we will *only* reward the type of vulnerabilities that are listed below.\n\n* Arbitrary code execution\n* SQL injection\n* Privilege escalation to shop owner (from unauthenticated user, customer, or installed app)\n* Authentication bypass for login to [yourshop].myshopify.com/admin\n* Authentication bypass for app installation\n* Circumvention of permission model for apps or admin users\n* Cross-site request forgery\n* Cross-site scripting - **See the next section for limitations.**\n\n**Known issues or previously reported vulnerabilities**\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. Please do not report any of the following issues. In most cases these issues will be closed as **Not Applicable**.\n\n* Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n* Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n* Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n* Arbitrary file upload to the Shopify CDN.\n* Execution of arbitrary scripts on the Shopify CDN - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission to the whitehat program where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n* CSRF access to modify cart\n* Insecure cookie handling for non-sensitive cookies\n* CSRF for Login or Logout\n* Password reset tokens don’t expire when changing email address\n* Email address change doesn’t require verification\n* Tab nabbing\n* Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)\n* Insecure “Opening Soon” password\n* Reflected XSS that requires full control of a http header, such as Referer, Host, etc.\n* User enumeration\n\n#Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program:\n* Denial of Service\n* Social Engineering, including phishing\n* Vulnerabilities in other Shopify Inc. web sites or applications\n* Failure to implement security best practices such as rate limiting, minimum password strength, and mobile binary protection\n* Some server configuration issues\n* Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on physical access to the device or debug access being enabled, or that depends on a vulnerability in the operating system.\n* Architectural decisions knowingly made by Shopify are not considered as valid submissions to the whitehat program even if there may be a more secure alternative configuration. For example, reporting that www.shopify.com is not using the https protocol will fall in this category. In general, issues that fall in this category will be rejected if we do not plan to implement a fix for them.\n\n#Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n* You may only test against shops you have created\n* You must not attempt to gain access to, or interact with, any shops other than those created by you\n* Rules for reporting must be followed\n* This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists\n* Allow a reasonable amount of time for Shopify to respond to your vulnerability report before publishing details of your exploit\n* Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the Whitehat program without notice at any time.\n\n#Reward Level\nThe rewards for the Shopify whitehat program start at $500 and will escalate based on severity.  \n\n#Indemnification\nShopify will not pursue legal action against security researchers who follow the guidelines outlined in this document and responsibly disclose vulnerabilities to us.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-01-18T16:40:16.914Z"},{"id":2176384,"new_policy":"# Introduction\nShopify's Whitehat program is our way to reward security researchers for finding serious security vulnerabilities in our core application, Shopify.\n\n# Participation\nWe encourage security researchers to sign up for a whitehat partner account, which you can use to create shops and private Shopify apps to use for testing within the testing guidelines. https://app.shopify.com/services/partners/signup/whitehat\n\nPlease use your Whitehat partner account to create shops for testing or add +hackerone to your email address, (e.g. john.doe+hackerone@shopify.com) so we can properly identify your shop. Researchers using accounts that do not follow this rule will not be eligible for rewards under this program.\n\n# Eligibility\nThe scope of the whitehat program is limited to:\n* **Shopify shops, their admin and their API** - This means your whitehat development shop hosted at [your-shop].myshopify.com\n\nAll software components that are used within the Shopify application can be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third-party libraries that we use (such as Ruby gems). Please note that bugs in third-party components only qualify if you can prove that they can be used to successfully attack Shopify.\n* **Shopify Mobile** (iPhone) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-mobile/id371294472?mt=8)\n* **Shopify POS** - Point of Sale for iPhone and iPad (Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-pos-point-sale-for/id686830644?mt=8))\n* **Shopify Mobile** (Android) (Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.mobile\u0026hl=en))\n* **Shopify App Store** - https://apps.shopify.com\n* **Shopify Theme Store** - https://themes.shopify.com\n* **Shopify Experts** - https://experts.shopify.com\n\n**Not in scope:** shopify.asia, go.shopify.com and investors.shopify.com are operated by third parties, and are **not** in scope. Any domain not explicitly listed above is also not in scope.\n\nReports on the following classes of vulnerability are eligible for reward, unless they are excluded (see the next section). In most cases, we will *only* reward the type of vulnerabilities that are listed below.\n\n* Arbitrary code execution\n* SQL injection\n* Privilege escalation to shop owner (from unauthenticated user, customer, or installed app)\n* Authentication bypass for login to [yourshop].myshopify.com/admin\n* Authentication bypass for app installation\n* Circumvention of permission model for apps or admin users\n* Cross-site request forgery\n* Cross-site scripting - **See the next section for limitations.**\n\n**Known issues or previously reported vulnerabilities**\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. Please do not report any of the following issues. In most cases these issues will be closed as **Not Applicable**.\n\n* Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n* Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n* Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n* Arbitrary file upload to the Shopify CDN.\n* Execution of arbitrary scripts on the Shopify CDN - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission to the whitehat program where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n* CSRF access to modify cart\n* Insecure cookie handling for non-sensitive cookies\n* CSRF for Login or Logout\n* Password reset tokens don’t expire when changing email address\n* Email address change doesn’t require verification\n* Tab nabbing\n* Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)\n* Insecure “Opening Soon” password\n* Reflected XSS that requires full control of a http header, such as Referer, Host, etc.\n* User enumeration\n\n#Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program:\n* Denial of Service\n* Social Engineering, including phishing\n* Vulnerabilities in other Shopify Inc. web sites or applications\n* Failure to implement security best practices such as rate limiting, minimum password strength, and mobile binary protection\n* Some server configuration issues\n* Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on physical access to the device or debug access being enabled, or that depends on a vulnerability in the operating system.\n* Architectural decisions knowingly made by Shopify are not considered as valid submissions to the whitehat program even if there may be a more secure alternative configuration. For example, reporting that www.shopify.com is not using the https protocol will fall in this category. In general, issues that fall in this category will be rejected if we do not plan to implement a fix for them.\n\n#Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n* You may only test against shops you have created\n* You must not attempt to gain access to, or interact with, any shops other than those created by you\n* Rules for reporting must be followed\n* This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists\n* Allow a reasonable amount of time for Shopify to respond to your vulnerability report before publishing details of your exploit\n* Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the Whitehat program without notice at any time.\n\n#Reward Level\nThe rewards for the Shopify whitehat program start at $500 and will escalate based on severity.  \n\n#Indemnification\nShopify will not pursue legal action against security researchers who follow the guidelines outlined in this document and responsibly disclose vulnerabilities to us.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-01-18T16:35:03.695Z"},{"id":2176378,"new_policy":"# Introduction\nShopify's Whitehat program is our way to reward security researchers for finding serious security vulnerabilities in our core application, Shopify.\n\n# Participation\nWe encourage security researchers to sign up for a whitehat partner account, which you can use to create shops and private Shopify apps to use for testing within the testing guidelines. https://app.shopify.com/services/partners/signup/whitehat\n\nPlease use your Whitehat partner account to create shops for testing or add +hackerone to your email address, (e.g. john.doe+hackerone@shopify.com) so we can properly identify your shop. Researchers using accounts that do not follow this rule will not be eligible for rewards under this program.\n\n# Eligibility\nThe scope of the whitehat program is limited to:\n* **Shopify shops, their admin and their API** - This means your whitehat development shop hosted at [your-shop].myshopify.com\n\nAll software components that are used within the Shopify application can be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third-party libraries that we use (such as Ruby gems). Please note that bugs in third-party components only qualify if you can prove that they can be used to successfully attack Shopify.\n* **Shopify Mobile** (iPhone) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-mobile/id371294472?mt=8)\n* **Shopify POS** - Point of Sale for iPhone and iPad (Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-pos-point-sale-for/id686830644?mt=8))\n* **Shopify Mobile** (Android) (Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.mobile\u0026hl=en))\n* **Shopify App Store** - https://apps.shopify.com\n* **Shopify Theme Store** - https://themes.shopify.com\n* **Shopify Experts** - https://experts.shopify.com\n\n**Not in scope:** shopify.asia, go.shopify.com and investors.shopify.com are operated by third parties, and are **not** in scope.\n\nReports on the following classes of vulnerability are eligible for reward, unless they are excluded (see the next section). In most cases, we will *only* reward the type of vulnerabilities that are listed below.\n\n* Arbitrary code execution\n* SQL injection\n* Privilege escalation to shop owner (from unauthenticated user, customer, or installed app)\n* Authentication bypass for login to [yourshop].myshopify.com/admin\n* Authentication bypass for app installation\n* Circumvention of permission model for apps or admin users\n* Cross-site request forgery\n* Cross-site scripting - **See the next section for limitations.**\n\n**Known issues or previously reported vulnerabilities**\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. Please do not report any of the following issues. In most cases these issues will be closed as **Not Applicable**.\n\n* Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n* Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n* Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n* Arbitrary file upload to the Shopify CDN.\n* Execution of arbitrary scripts on the Shopify CDN - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission to the whitehat program where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n* CSRF access to modify cart\n* Insecure cookie handling for non-sensitive cookies\n* CSRF for Login or Logout\n* Password reset tokens don’t expire when changing email address\n* Email address change doesn’t require verification\n* Tab nabbing\n* Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)\n* Insecure “Opening Soon” password\n* Reflected XSS that requires full control of a http header, such as Referer, Host, etc.\n* User enumeration\n\n#Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program:\n* Denial of Service\n* Social Engineering, including phishing\n* Vulnerabilities in other Shopify Inc. web sites or applications\n* Failure to implement security best practices such as rate limiting, minimum password strength, and mobile binary protection\n* Some server configuration issues\n* Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on physical access to the device or debug access being enabled, or that depends on a vulnerability in the operating system.\n* Architectural decisions knowingly made by Shopify are not considered as valid submissions to the whitehat program even if there may be a more secure alternative configuration. For example, reporting that www.shopify.com is not using the https protocol will fall in this category. In general, issues that fall in this category will be rejected if we do not plan to implement a fix for them.\n\n#Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n* You may only test against shops you have created\n* You must not attempt to gain access to, or interact with, any shops other than those created by you\n* Rules for reporting must be followed\n* This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists\n* Allow a reasonable amount of time for Shopify to respond to your vulnerability report before publishing details of your exploit\n* Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the Whitehat program without notice at any time.\n\n#Reward Level\nThe rewards for the Shopify whitehat program start at $500 and will escalate based on severity.  \n\n#Indemnification\nShopify will not pursue legal action against security researchers who follow the guidelines outlined in this document and responsibly disclose vulnerabilities to us.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-01-18T16:31:08.761Z"},{"id":1934284,"new_policy":"# Introduction\nShopify's Whitehat program is our way to reward security researchers for finding serious security vulnerabilities in our core application, Shopify.\n\n# Participation\nWe encourage security researchers to sign up for a whitehat partner account, which you can use to create shops and private Shopify apps to use for testing within the testing guidelines. https://app.shopify.com/services/partners/signup/whitehat\n\nPlease use your Whitehat partner account to create shops for testing or add +hackerone to your email address, (e.g. john.doe+hackerone@shopify.com) so we can properly identify your shop. Researchers using accounts that do not follow this rule will not be eligible for rewards under this program.\n\n# Eligibility\nThe scope of the whitehat program is limited to:\n* **Shopify shops, their admin and their API** - This means your whitehat development shop hosted at [your-shop].myshopify.com\n\nAll software components that are used within the Shopify application can be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third-party libraries that we use (such as Ruby gems). Please note that bugs in third-party components only qualify if you can prove that they can be used to successfully attack Shopify.\n* **Shopify Mobile** (iPhone) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-mobile/id371294472?mt=8)\n* **Shopify POS** - Point of Sale for iPhone and iPad (Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-pos-point-sale-for/id686830644?mt=8))\n* **Shopify Mobile** (Android) (Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.mobile\u0026hl=en))\n* **Shopify App Store** - https://apps.shopify.com\n* **Shopify Theme Store** - https://themes.shopify.com\n* **Shopify Experts** - https://experts.shopify.com\n\n**Not in scope:** shopify.asia and investors.shopify.com are operated by third parties, and are **not** in scope.\n\nReports on the following classes of vulnerability are eligible for reward, unless they are excluded (see the next section). In most cases, we will *only* reward the type of vulnerabilities that are listed below.\n\n* Arbitrary code execution\n* SQL injection\n* Privilege escalation to shop owner (from unauthenticated user, customer, or installed app)\n* Authentication bypass for login to [yourshop].myshopify.com/admin\n* Authentication bypass for app installation\n* Circumvention of permission model for apps or admin users\n* Cross-site request forgery\n* Cross-site scripting - **See the next section for limitations.**\n\n**Known issues or previously reported vulnerabilities**\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. Please do not report any of the following issues. In most cases these issues will be closed as **Not Applicable**.\n\n* Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n* Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n* Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n* Arbitrary file upload to the Shopify CDN.\n* Execution of arbitrary scripts on the Shopify CDN - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission to the whitehat program where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n* CSRF access to modify cart\n* Insecure cookie handling for non-sensitive cookies\n* CSRF for Login or Logout\n* Password reset tokens don’t expire when changing email address\n* Email address change doesn’t require verification\n* Tab nabbing\n* Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)\n* Insecure “Opening Soon” password\n* Reflected XSS that requires full control of a http header, such as Referer, Host, etc.\n* User enumeration\n\n#Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program:\n* Denial of Service\n* Social Engineering, including phishing\n* Vulnerabilities in other Shopify Inc. web sites or applications\n* Failure to implement security best practices such as rate limiting, minimum password strength, and mobile binary protection\n* Some server configuration issues\n* Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on physical access to the device or debug access being enabled, or that depends on a vulnerability in the operating system.\n* Architectural decisions knowingly made by Shopify are not considered as valid submissions to the whitehat program even if there may be a more secure alternative configuration. For example, reporting that www.shopify.com is not using the https protocol will fall in this category. In general, issues that fall in this category will be rejected if we do not plan to implement a fix for them.\n\n#Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n* You may only test against shops you have created\n* You must not attempt to gain access to, or interact with, any shops other than those created by you\n* Rules for reporting must be followed\n* This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists\n* Allow a reasonable amount of time for Shopify to respond to your vulnerability report before publishing details of your exploit\n* Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the Whitehat program without notice at any time.\n\n#Reward Level\nThe rewards for the Shopify whitehat program start at $500 and will escalate based on severity.  \n\n#Indemnification\nShopify will not pursue legal action against security researchers who follow the guidelines outlined in this document and responsibly disclose vulnerabilities to us.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-10-26T15:54:25.515Z"},{"id":1814785,"new_policy":"# Introduction\nShopify's Whitehat program is our way to reward security researchers for finding serious security vulnerabilities in our core application, Shopify.\n\n# Participation\nWe encourage security researchers to sign up for a whitehat partner account, which you can use to create shops and private Shopify apps to use for testing within the testing guidelines. https://app.shopify.com/services/partners/signup/whitehat\n\nPlease use your Whitehat partner account to create shops for testing or add +hackerone to your email address, (e.g. john.doe+hackerone@shopify.com) so we can properly identify your shop. Researchers using accounts that do not follow this rule will not be eligible for rewards under this program.\n\n# Eligibility\nThe scope of the whitehat program is limited to:\n* **Shopify shops, their admin and their API** - This means your whitehat development shop hosted at [your-shop].myshopify.com\n\nAll software components that are used within the Shopify application can be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third-party libraries that we use (such as Ruby gems). Please note that bugs in third-party components only qualify if you can prove that they can be used to successfully attack Shopify.\n* **Shopify Mobile** (iPhone) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-mobile/id371294472?mt=8)\n* **Shopify POS** - Point of Sale for iPhone and iPad (Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-pos-point-sale-for/id686830644?mt=8))\n* **Shopify Mobile** (Android) (Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.mobile\u0026hl=en))\n* **Shopify App Store** - https://apps.shopify.com\n* **Shopify Theme Store** - https://themes.shopify.com\n* **Shopify Experts** - https://experts.shopify.com\n\n**Not in scope:** shopify.asia and investors.shopify.com are operated by third parties, and are **not** in scope.\n\nReports on the following classes of vulnerability are eligible for reward, unless they are excluded (see the next section). In most cases, we will *only* reward the type of vulnerabilities that are listed below.\n\n* Arbitrary code execution\n* SQL injection\n* Privilege escalation to shop owner (from unauthenticated user, customer, or installed app)\n* Authentication bypass for login to [yourshop].myshopify.com/admin\n* Authentication bypass for app installation\n* Circumvention of permission model for apps or admin users\n* Cross-site request forgery\n* Cross-site scripting - **See the next section for limitations.**\n\n**Known issues or previously reported vulnerabilities**\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. Please do not report any of the following issues. In most cases these issues will be closed as **Not Applicable**.\n\n* Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n* Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n* Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n* Arbitrary file upload to the Shopify CDN.\n* Execution of arbitrary scripts on the Shopify CDN - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission to the whitehat program where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n* CSRF access to modify cart\n* Insecure cookie handling for non-sensitive cookies\n* CSRF for Login or Logout\n* Password reset tokens don’t expire when changing email address\n* Email address change doesn’t require verification\n* Tab nabbing\n* Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)\n* Insecure “Opening Soon” password\n* XSS that requires full control of a http header, such as Referer, Host, etc.\n* User enumeration\n\n#Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program:\n* Denial of Service\n* Social Engineering, including phishing\n* Vulnerabilities in other Shopify Inc. web sites or applications\n* Failure to implement security best practices such as rate limiting, minimum password strength, and mobile binary protection\n* Some server configuration issues\n* Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on physical access to the device or debug access being enabled, or that depends on a vulnerability in the operating system.\n* Architectural decisions knowingly made by Shopify are not considered as valid submissions to the whitehat program even if there may be a more secure alternative configuration. For example, reporting that www.shopify.com is not using the https protocol will fall in this category. In general, issues that fall in this category will be rejected if we do not plan to implement a fix for them.\n\n#Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n* You may only test against shops you have created\n* You must not attempt to gain access to, or interact with, any shops other than those created by you\n* Rules for reporting must be followed\n* This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists\n* Allow a reasonable amount of time for Shopify to respond to your vulnerability report before publishing details of your exploit\n* Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the Whitehat program without notice at any time.\n\n#Reward Level\nThe rewards for the Shopify whitehat program start at $500 and will escalate based on severity.  \n\n#Indemnification\nShopify will not pursue legal action against security researchers who follow the guidelines outlined in this document and responsibly disclose vulnerabilities to us.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-09-03T14:31:20.387Z"},{"id":1664587,"new_policy":"# Introduction\nShopify's Whitehat program is our way to reward security researchers for finding serious security vulnerabilities in our core application, Shopify.\n\n# Participation\nWe encourage security researchers to sign up for a whitehat partner account, which you can use to create shops and private Shopify apps to use for testing within the testing guidelines. https://app.shopify.com/services/partners/signup/whitehat\n\nPlease use your Whitehat partner account to create shops for testing or add +hackerone to your email address, (e.g. john.doe+hackerone@shopify.com) so we can properly identify your shop. Researchers using accounts that do not follow this rule will not be eligible for rewards under this program.\n\n# Eligibility\nThe scope of the whitehat program is limited to:\n* **Shopify shops, their admin and their API** - This means your whitehat development shop hosted at [your-shop].myshopify.com\n\nAll software components that are used within the Shopify application can be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third-party libraries that we use (such as Ruby gems). Please note that bugs in third-party components only qualify if you can prove that they can be used to successfully attack Shopify.\n* **Shopify Mobile** (iPhone) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-mobile/id371294472?mt=8)\n* **Shopify POS** - Point of Sale for iPhone and iPad (Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-pos-point-sale-for/id686830644?mt=8))\n* **Shopify Mobile** (Android) (Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.mobile\u0026hl=en))\n* **Shopify App Store** - https://apps.shopify.com\n* **Shopify Theme Store** - https://themes.shopify.com\n* **Shopify Experts** - https://experts.shopify.com\n\n**Not in scope:** shopify.asia is operated by a third-party, and is **not** in scope.\n\nReports on the following classes of vulnerability are eligible for reward, unless they are excluded (see the next section). In most cases, we will *only* reward the type of vulnerabilities that are listed below.\n\n* Arbitrary code execution\n* SQL injection\n* Privilege escalation to shop owner (from unauthenticated user, customer, or installed app)\n* Authentication bypass for login to [yourshop].myshopify.com/admin\n* Authentication bypass for app installation\n* Circumvention of permission model for apps or admin users\n* Cross-site request forgery\n* Cross-site scripting - **See the next section for limitations.**\n\n**Known issues or previously reported vulnerabilities**\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. Please do not report any of the following issues. In most cases these issues will be closed as **Not Applicable**.\n\n* Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n* Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n* Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n* Arbitrary file upload to the Shopify CDN.\n* Execution of arbitrary scripts on the Shopify CDN - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission to the whitehat program where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n* CSRF access to modify cart\n* Insecure cookie handling for non-sensitive cookies\n* CSRF for Login or Logout\n* Password reset tokens don’t expire when changing email address\n* Email address change doesn’t require verification\n* Tab nabbing\n* Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)\n* Insecure “Opening Soon” password\n* XSS that requires full control of a http header, such as Referer, Host, etc.\n* User enumeration\n\n#Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program:\n* Denial of Service\n* Social Engineering, including phishing\n* Vulnerabilities in other Shopify Inc. web sites or applications\n* Failure to implement security best practices such as rate limiting, minimum password strength, and mobile binary protection\n* Some server configuration issues\n* Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on physical access to the device or debug access being enabled, or that depends on a vulnerability in the operating system.\n* Architectural decisions knowingly made by Shopify are not considered as valid submissions to the whitehat program even if there may be a more secure alternative configuration. For example, reporting that www.shopify.com is not using the https protocol will fall in this category. In general, issues that fall in this category will be rejected if we do not plan to implement a fix for them.\n\n#Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n* You may only test against shops you have created\n* You must not attempt to gain access to, or interact with, any shops other than those created by you\n* Rules for reporting must be followed\n* This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists\n* Allow a reasonable amount of time for Shopify to respond to your vulnerability report before publishing details of your exploit\n* Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the Whitehat program without notice at any time.\n\n#Reward Level\nThe rewards for the Shopify whitehat program start at $500 and will escalate based on severity.  \n\n#Indemnification\nShopify will not pursue legal action against security researchers who follow the guidelines outlined in this document and responsibly disclose vulnerabilities to us.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-07-14T16:54:57.076Z"},{"id":1664409,"new_policy":"# Introduction\nShopify's Whitehat program is our way to reward security researchers for finding serious security vulnerabilities in our core application, Shopify.\n\n# Participation\nWe encourage security researchers to sign up for a whitehat partner account, which you can use to create shops and private Shopify apps to use for testing within the testing guidelines. https://app.shopify.com/services/partners/signup/whitehat\n\nPlease use your Whitehat partner account to create shops for testing or add +hackerone to your email address, (e.g. john.doe+hackerone@shopify.com) so we can properly identify your shop. Researchers using accounts that do not follow this rule will not be eligible for rewards under this program.\n\n# Eligibility\nThe scope of the whitehat program is limited to:\n* **Shopify shops, their admin and their API** - This means your whitehat development shop hosted at [your-shop].myshopify.com\n\nAll software components that are used within the Shopify application can be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third-party libraries that we use (such as Ruby gems). Please note that bugs in third-party components only qualify if you can prove that they can be used to successfully attack Shopify.\n* **Shopify Mobile** (iPhone) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-mobile/id371294472?mt=8)\n* **Shopify POS** - Point of Sale for iPhone and iPad (Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-pos-point-sale-for/id686830644?mt=8))\n* **Shopify Mobile** (Android) (Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.mobile\u0026hl=en))\n* **Shopify App Store** - https://apps.shopify.com\n* **Shopify Theme Store** - https://themes.shopify.com\n* **Shopify Experts** - https://experts.shopify.com\n\n**Not in scope:** shopify.asia is operated by a third-party, and is **not** in scope.\n\nReports on the following classes of vulnerability are eligible for reward, unless they are excluded (see the next section). In most cases, we will *only* reward the type of vulnerabilities that are listed below.\n\n* Arbitrary code execution\n* SQL injection\n* Privilege escalation to shop owner (from unauthenticated user, customer, or installed app)\n* Authentication bypass for login to [yourshop].myshopify.com/admin\n* Authentication bypass for app installation\n* Circumvention of permission model for apps or admin users\n* Cross-site request forgery\n* Cross-site scripting - **See the next section for limitations.**\n\n**Known issues or previously reported vulnerabilities**\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. Please do not report any of the following issues. In most cases these issues will be closed as **Not Applicable**.\n\n* Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n* Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n* Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n* Arbitrary file upload to the Shopify CDN.\n* Execution of arbitrary scripts on the Shopify CDN - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission to the whitehat program where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n* CSRF access to modify cart\n* Insecure cookie handling for non-sensitive cookies\n* CSRF for Login or Logout\n* Password reset tokens don’t expire when changing email address\n* Email address change doesn’t require verification\n* Tab nabbing\n* Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)\n* Insecure “Opening Soon” password\n* XSS that requires full control of a http header, such as Referer, Host, etc.\n* User enumeration\n\n#Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program:\n* Denial of Service\n* Social Engineering, including phishing\n* Vulnerabilities in other Shopify Inc. web sites or applications\n* Failure to implement security best practices such as rate limiting, minimum password strength, and mobile binary protection\n* Some server configuration issues\n* Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system.\n* Architectural decisions knowingly made by Shopify are not considered as valid submissions to the whitehat program even if there may be a more secure alternative configuration. For example, reporting that www.shopify.com is not using the https protocol will fall in this category. In general, issues that fall in this category will be rejected if we do not plan to implement a fix for them.\n\n#Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n* You may only test against shops you have created\n* You must not attempt to gain access to, or interact with, any shops other than those created by you\n* Rules for reporting must be followed\n* This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists\n* Allow a reasonable amount of time for Shopify to respond to your vulnerability report before publishing details of your exploit\n* Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the Whitehat program without notice at any time.\n\n#Reward Level\nThe rewards for the Shopify whitehat program start at $500 and will escalate based on severity.  \n\n#Indemnification\nShopify will not pursue legal action against security researchers who follow the guidelines outlined in this document and responsibly disclose vulnerabilities to us.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-07-14T16:02:01.145Z"},{"id":1664319,"new_policy":"# Introduction\nShopify's Whitehat program is our way to reward security researchers for finding serious security vulnerabilities in our core application, Shopify.\n\n# Participation\nWe encourage security researchers to sign up for a whitehat partner account, which you can use to create shops and private Shopify apps to use for testing within the testing guidelines. https://app.shopify.com/services/partners/signup/whitehat\n\nPlease use your Whitehat partner account to create shops for testing or add +hackerone to your email address, (e.g. john.doe+hackerone@shopify.com) so we can properly identify your shop. Researchers using accounts that do not follow this rule will not be eligible for rewards under this program.\n\n# Eligibility\nThe scope of the whitehat program is limited to:\n* **Shopify shops, their admin and their API** - This means your whitehat development shop hosted at [your-shop].myshopify.com\n\nAll software components that are used within the Shopify application can be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third-party libraries that we use (such as Ruby gems). Please note that bugs in third-party components only qualify if you can prove that they can be used to successfully attack Shopify.\n* **Shopify Mobile** (iPhone) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-mobile/id371294472?mt=8)\n* **Shopify POS** - Point of Sale for iPhone and iPad (Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-pos-point-sale-for/id686830644?mt=8))\n* **Shopify Mobile** (Android) (Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.mobile\u0026hl=en))\n* **Shopify App Store** - https://apps.shopify.com\n* **Shopify Theme Store** - https://themes.shopify.com\n* **Shopify Experts** - https://experts.shopify.com\n\n**Not in scope:** shopify.asia is operated by a third-party, and is **not** in scope.\n\nReports on the following classes of vulnerability are eligible for reward, unless they are excluded (see the next section). In most cases, we will *only* reward the type of vulnerabilities that are listed below.\n\n* Arbitrary code execution\n* SQL injection\n* Privilege escalation to shop owner (from unauthenticated user, customer, or installed app)\n* Authentication bypass for login to [yourshop].myshopify.com/admin\n* Authentication bypass for app installation\n* Circumvention of permission model for apps or admin users\n* Cross-site request forgery\n* Cross-site scripting - **See the next section for limitations.**\n\n**Known issues or previously reported vulnerabilities**\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. Please do not report any of the following issues. In most cases these issues will be closed as **Not Applicable**.\n\n* Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n* Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n* Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n* Arbitrary file upload to the Shopify CDN.\n* Execution of arbitrary scripts on the Shopify CDN - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission to the whitehat program where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n* CSRF access to modify cart\n* Insecure cookie handling for non-sensitive cookies\n* CSRF for Login or Logout\n* Password reset tokens don’t expire when changing email address\n* Email address change doesn’t require verification\n* Tab nabbing\n* Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)\n* Insecure “Opening Soon” password\n* XSS that requires full control of a http header, such as Referer, Host, etc.\n* User enumeration\n\n#Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program:\n* Denial of Service\n* Social Engineering, including phishing\n* Vulnerabilities in other Shopify Inc. web sites or applications\n* Failure to implement security best practices such as rate limiting, minimum password strength, and mobile binary protection\n* Some server configuration issues\n* Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, or that depends on a vulnerability in the operating system.\n* Architectural decisions knowingly made by Shopify are not considered as valid submissions to the whitehat program even if there may be a more secure alternative configuration. For example, reporting that www.shopify.com is not using the https protocol will fall in this category. In general, issues that fall in this category will be rejected if we do not plan to implement a fix for them.\n\n#Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n* You may only test against shops you have created\n* You must not attempt to gain access to, or interact with, any shops other than those created by you\n* Rules for reporting must be followed\n* This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists\n* Allow a reasonable amount of time for Shopify to respond to your vulnerability report before publishing details of your exploit\n* Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the Whitehat program without notice at any time.\n\n#Reward Level\nThe rewards for the Shopify whitehat program start at $500 and will escalate based on severity.  \n\n#Indemnification\nShopify will not pursue legal action against security researchers who follow the guidelines outlined in this document and responsibly disclose vulnerabilities to us.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-07-14T15:15:22.106Z"},{"id":1636361,"new_policy":"# Introduction\nShopify's Whitehat program is our way to reward security researchers for finding serious security vulnerabilities in our core application, Shopify.\n\n# Participation\nWe encourage security researchers to sign up for a whitehat partner account, which you can use to create shops and private Shopify apps to use for testing within the testing guidelines. https://app.shopify.com/services/partners/signup/whitehat\n\nPlease use your Whitehat partner account to create shops for testing or add +hackerone to your email address, (e.g. john.doe+hackerone@shopify.com) so we can properly identify your shop. Researchers using accounts that do not follow this rule will not be eligible for rewards under this program.\n\n# Eligibility\nThe scope of the whitehat program is limited to:\n* **Shopify shops, their admin and their API** - This means your whitehat development shop hosted at [your-shop].myshopify.com\n\nAll software components that are used within the Shopify application can be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third-party libraries that we use (such as Ruby gems). Please note that bugs in third-party components only qualify if you can prove that they can be used to successfully attack Shopify.\n* **Shopify Mobile** (iPhone) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-mobile/id371294472?mt=8)\n* **Shopify POS** - Point of Sale for iPhone and iPad (Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-pos-point-sale-for/id686830644?mt=8))\n* **Shopify Mobile** (Android) (Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.mobile\u0026hl=en))\n* **Shopify App Store** - https://apps.shopify.com\n* **Shopify Theme Store** - https://themes.shopify.com\n* **Shopify Experts** - https://experts.shopify.com\n\n**Not in scope:** shopify.asia is operated by a third-party, and is **not** in scope.\n\nReports on the following classes of vulnerability are eligible for reward, unless they are excluded (see the next section). In most cases, we will *only* reward the type of vulnerabilities that are listed below.\n\n* Arbitrary code execution\n* SQL injection\n* Privilege escalation to shop owner (from unauthenticated user, customer, or installed app)\n* Authentication bypass for login to [yourshop].myshopify.com/admin\n* Authentication bypass for app installation\n* Circumvention of permission model for apps or admin users\n* Cross-site request forgery\n* Cross-site scripting - **See the next section for limitations.**\n\n**Known issues or previously reported vulnerabilities**\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. Please do not report any of the following issues. In most cases these issues will be closed as **Not Applicable**.\n\n* Any issue where a store administrator is able to insert javascript in the storefront area of their own store, including the checkout pages.\n* Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n* Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n* Arbitrary file upload to the Shopify CDN.\n* Execution of arbitrary scripts on the Shopify CDN - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission to the whitehat program where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n* CSRF access to modify cart\n* Insecure cookie handling for non-sensitive cookies\n* CSRF for Login or Logout\n* Password reset tokens don’t expire when changing email address\n* Email address change doesn’t require verification\n* Tab nabbing\n* Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)\n* Insecure “Opening Soon” password\n* XSS that requires full control of a http header, such as Referer, Host, etc.\n* User enumeration\n\n#Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program:\n* Denial of Service\n* Social Engineering, including phishing\n* Vulnerabilities in other Shopify Inc. web sites or applications\n* Failure to implement security best practices such as rate limiting, minimum password strength, and mobile binary protection\n* Some server configuration issues\n* Architectural decisions knowingly made by Shopify are not considered as valid submissions to the whitehat program even if there may be a more secure alternative configuration. For example, reporting that www.shopify.com is not using the https protocol will fall in this category. In general, issues that fall in this category will be rejected if we do not plan to implement a fix for them.\n\n#Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n* You may only test against shops you have created\n* You must not attempt to gain access to, or interact with, any shops other than those created by you\n* Rules for reporting must be followed\n* This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists\n* Allow a reasonable amount of time for Shopify to respond to your vulnerability report before publishing details of your exploit\n* Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the Whitehat program without notice at any time.\n\n#Reward Level\nThe rewards for the Shopify whitehat program start at $500 and will escalate based on severity.  \n\n#Indemnification\nShopify will not pursue legal action against security researchers who follow the guidelines outlined in this document and responsibly disclose vulnerabilities to us.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-06-29T21:47:15.256Z"},{"id":1636335,"new_policy":"# Introduction\nShopify's Whitehat program is our way to reward security researchers for finding serious security vulnerabilities in our core application, Shopify.\n\n# Participation\nWe encourage security researchers to sign up for a whitehat partner account, which you can use to create shops and private Shopify apps to use for testing within the testing guidelines. https://app.shopify.com/services/partners/signup/whitehat\n\nPlease use your Whitehat partner account to create shops for testing or add +hackerone to your email address, (e.g. john.doe+hackerone@shopify.com) so we can properly identify your shop. Researchers using accounts that do not follow this rule will not be eligible for rewards under this program.\n\n# Eligibility\nThe scope of the whitehat program is limited to:\n* **Shopify shops, their admin and their API** - This means your whitehat development shop hosted at [your-shop].myshopify.com\n\nAll software components that are used within the Shopify application can be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third-party libraries that we use (such as Ruby gems). Please note that bugs in third-party components only qualify if you can prove that they can be used to successfully attack Shopify.\n* **Shopify Mobile** (iPhone) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-mobile/id371294472?mt=8)\n* **Shopify POS** - Point of Sale for iPhone and iPad (Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-pos-point-sale-for/id686830644?mt=8))\n* **Shopify Mobile** (Android) (Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.mobile\u0026hl=en))\n* **Shopify App Store** - https://apps.shopify.com\n* **Shopify Theme Store** - https://themes.shopify.com\n* **Shopify Experts** - https://experts.shopify.com\n\n**Not in scope:** shopify.asia is operated by a third-party, and is **not** in scope.\n\nReports on the following classes of vulnerability are eligible for reward, unless they are excluded (see the next section). In most cases, we will *only* reward the type of vulnerabilities that are listed below.\n\n* Arbitrary code execution\n* SQL injection\n* Privilege escalation to shop owner (from unauthenticated user, customer, or installed app)\n* Authentication bypass for login to [yourshop].myshopify.com/admin\n* Authentication bypass for app installation\n* Circumvention of permission model for apps or admin users\n* Cross-site request forgery\n* Cross-site scripting - **See the next section for limitations.**\n\n**Known issues or previously reported vulnerabilities**\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. Please do not report any of the following issues. In most cases these issues will be closed as **Not Applicable**.\n\n* Any issue where a store administrator is able to insert javascript in the storefront area of their own store.\n* Any issue related to the storefront area being displayed in a `\u003ciframe\u003e` element in the admin area, for example in the Theme Editor.\n* Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a product, blog or collection, etc).\n* Arbitrary file upload to the Shopify CDN.\n* Execution of arbitrary scripts on the Shopify CDN - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission to the whitehat program where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n* CSRF access to modify cart\n* Insecure cookie handling for non-sensitive cookies\n* CSRF for Login or Logout\n* Password reset tokens don’t expire when changing email address\n* Email address change doesn’t require verification\n* Tab nabbing\n* Issues with the SPF, DKIM or DMARC records on shopify.com or other Shopify domains (sometimes reported as email spoofing)\n* Insecure “Opening Soon” password\n* XSS that requires full control of a http header, such as Referer, Host, etc.\n* User enumeration\n\n#Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program:\n* Denial of Service\n* Social Engineering, including phishing\n* Vulnerabilities in other Shopify Inc. web sites or applications\n* Failure to implement security best practices such as rate limiting, minimum password strength, and mobile binary protection\n* Some server configuration issues\n* Architectural decisions knowingly made by Shopify are not considered as valid submissions to the whitehat program even if there may be a more secure alternative configuration. For example, reporting that www.shopify.com is not using the https protocol will fall in this category. In general, issues that fall in this category will be rejected if we do not plan to implement a fix for them.\n\n#Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n* You may only test against shops you have created\n* You must not attempt to gain access to, or interact with, any shops other than those created by you\n* Rules for reporting must be followed\n* This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists\n* Allow a reasonable amount of time for Shopify to respond to your vulnerability report before publishing details of your exploit\n* Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the Whitehat program without notice at any time.\n\n#Reward Level\nThe rewards for the Shopify whitehat program start at $500 and will escalate based on severity.  \n\n#Indemnification\nShopify will not pursue legal action against security researchers who follow the guidelines outlined in this document and responsibly disclose vulnerabilities to us.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-06-29T21:35:13.407Z"},{"id":1630638,"new_policy":"# Introduction\nShopify's Whitehat program is our way to reward security researchers for finding serious security vulnerabilities in our core application, Shopify.\n\n# Participation\nWe encourage security researchers to sign up for a whitehat partner account, which you can use to create shops and private Shopify apps to use for testing within the testing guidelines. https://app.shopify.com/services/partners/signup/whitehat\n\nPlease use your Whitehat partner account to create shops for testing or add +hackerone to your email address, (e.g. john.doe+hackerone@shopify.com) so we can properly identify your shop. Researchers using accounts that do not follow this rule will not be eligible for rewards under this program.\n\n# Eligibility\nThe scope of the whitehat program is limited to:\n* **Shopify shops, their admin and their API** - This means your whitehat development shop hosted at [your-shop].myshopify.com\n\nAll software components that are used within the Shopify application can be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third-party libraries that we use (such as Ruby gems). Please note that bugs in third-party components only qualify if you can prove that they can be used to successfully attack Shopify.\n* **Shopify Mobile** (iPhone) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-mobile/id371294472?mt=8)\n* **Shopify POS** - Point of Sale for iPhone and iPad (Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-pos-point-sale-for/id686830644?mt=8))\n* **Shopify Mobile** (Android) (Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.mobile\u0026hl=en))\n* **Shopify App Store** - https://apps.shopify.com\n* **Shopify Theme Store** - https://themes.shopify.com\n* **Shopify Experts** - https://experts.shopify.com\n\n**Not in scope:** shopify.asia is operated by a third-party, and is **not** in scope.\n\nReports on the following classes of vulnerability are eligible for reward, unless they are excluded (see the next section). In most cases, we will *only* reward the type of vulnerabilities that are listed below.\n\n* Arbitrary code execution\n* SQL injection\n* Privilege escalation to shop owner (from unauthenticated user, customer, or installed app)\n* Authentication bypass for login to [yourshop].myshopify.com/admin\n* Authentication bypass for app installation\n* Circumvention of permission model for apps or admin users\n* Cross-site request forgery\n* Cross-site scripting - **See the next section for limitations.**\n\n**Known issues or previously reported vulnerabilities**\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. Please do not report any of the following issues. In most cases these issues will be closed as **Not Applicable**.\n\n  * Execution of arbitrary scripts in your own store - Shopify gives merchants complete control over their store front so they can customize it and make it their own. For this reason, we allow javascript to be included throughout the store by store administrators. This means we will reject any submission where the issue being being reported is in the storefront and requires administrator privilege to trigger. **We are only interested in XSS vulnerabilities that can be triggered by unauthorized users, or that occur within the Shopify admin**\n  * Arbitrary file upload to the Shopify CDN.\n  * Execution of arbitrary scripts on the Shopify CDN - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission to the whitehat program where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n  * CSRF access to modify cart\n  * Insecure cookie handling for non-sensitive cookies\n  * CSRF for Login or Logout\n  * Password reset tokens don’t expire when changing email address\n  * Email address change doesn’t require verification\n  * Tab nabbing\n  * Invalid SPF on shopify.com\n  * Insecure “Opening Soon” password\n  * XSS that requires full control of a http header, such as Referer, Host, etc.\n  * User enumeration\n\n#Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program:\n* Denial of Service\n* Social Engineering, including phishing\n* Vulnerabilities in other Shopify Inc. web sites or applications\n* Failure to implement security best practices such as rate limiting, minimum password strength, and mobile binary protection\n* Some server configuration issues\n* Architectural decisions knowingly made by Shopify are not considered as valid submissions to the whitehat program even if there may be a more secure alternative configuration. For example, reporting that www.shopify.com is not using the https protocol will fall in this category. In general, issues that fall in this category will be rejected if we do not plan to implement a fix for them.\n\n#Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n* You may only test against shops you have created\n* You must not attempt to gain access to, or interact with, any shops other than those created by you\n* Rules for reporting must be followed\n* This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists\n* Allow a reasonable amount of time for Shopify to respond to your vulnerability report before publishing details of your exploit\n* Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the Whitehat program without notice at any time.\n\n#Reward Level\nThe rewards for the Shopify whitehat program start at $500 and will escalate based on severity.  \n\n#Indemnification\nShopify will not pursue legal action against security researchers who follow the guidelines outlined in this document and responsibly disclose vulnerabilities to us.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-06-26T17:47:30.255Z"},{"id":1537680,"new_policy":"# Introduction\nShopify's Whitehat program is our way to reward security researchers for finding serious security vulnerabilities in our core application, Shopify.\n\n# Participation\nWe encourage security researchers to sign up for a whitehat partner account, which you can use to create shops and private Shopify apps to use for testing within the testing guidelines. https://app.shopify.com/services/partners/signup/whitehat\n\nPlease use your Whitehat partner account to create shops for testing or add +hackerone to your email address, (e.g. john.doe+hackerone@shopify.com) so we can properly identify your shop. Researchers using accounts that do not follow this rule will not be eligible for rewards under this program.\n\n# Eligibility\nThe scope of the whitehat program is limited to:\n* **Shopify shops, their admin and their API** - This means your whitehat development shop hosted at [your-shop].myshopify.com\n\nAll software components that are used within the Shopify application can be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third-party libraries that we use (such as Ruby gems). Please note that bugs in third-party components only qualify if you can prove that they can be used to successfully attack Shopify.\n* **Shopify Mobile** (iPhone) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-mobile/id371294472?mt=8)\n* **Shopify POS** - Point of Sale for iPhone and iPad (Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-pos-point-sale-for/id686830644?mt=8))\n* **Shopify Mobile** (Android) (Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.mobile\u0026hl=en))\n* **Shopify App Store** - https://apps.shopify.com\n* **Shopify Theme Store** - https://themes.shopify.com\n* **Shopify Experts** - https://experts.shopify.com\n\n**Not in scope:** shopify.asia is operated by a third-party, and is **not** in scope.\n\nReports on the following classes of vulnerability are eligible for reward, unless they are excluded (see the next section). In most cases, we will *only* reward the type of vulnerabilities that are listed below.\n\n* Arbitrary code execution\n* SQL injection\n* Privilege escalation to shop owner (from unauthenticated user, customer, or installed app)\n* Authentication bypass for login to [yourshop].myshopify.com/admin\n* Authentication bypass for app installation\n* Circumvention of permission model for apps or admin users\n* Cross-site request forgery\n* Cross-site scripting - **See the next section for limitations.**\n\n**Known issues or previously reported vulnerabilities**\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. Please do not report any of the following issues. In most cases these issues will be closed as **Not Applicable**.\n\n  * Execution of arbitrary scripts in your own store - Shopify gives merchants complete control over their store front so they can customize it and make it their own. For this reason, we allow javascript to be included throughout the store by store administrators. This means we will reject any submission where the issue being being reported is in the storefront and requires administrator privilege to trigger. **We are only interested in XSS vulnerabilities that can be triggered by unauthorized users, or that occur within the Shopify admin**\n  * Arbitrary file upload to the Shopify CDN.\n  * Execution of arbitrary scripts on the Shopify CDN - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission to the whitehat program where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n  * CSRF access to modify cart\n  * Insecure cookie handling for non-sensitive cookies\n  * CSRF for Login or Logout\n  * Password reset tokens don’t expire when changing email address\n  * Email address change doesn’t require verification\n  * Tab nabbing\n  * Invalid SPF on shopify.com\n  * Insecure “Opening Soon” password\n  * XSS that requires full control of a http header, such as Referer, Host, etc.\n  * User enumeration\n\n#Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program:\n* Denial of Service\n* Social Engineering, including phishing\n* Vulnerabilities in other Shopify Inc. web sites or applications\n* Failure to implement security best practices such as rate limiting, minimum password strength, and mobile binary protection\n* Some server configuration issues\n  Architectural decisions knowingly made by Shopify are not considered as valid submissions to the whitehat program even if there may be a more secure alternative configuration. For example, reporting that www.shopify.com is not using the https protocol will fall in this category. In general, issues that fall in this category will be rejected if we do not plan to implement a fix for them.\n\n#Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n* You may only test against shops you have created\n* You must not attempt to gain access to, or interact with, any shops other than those created by you\n* Rules for reporting must be followed\n* This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists\n* Allow a reasonable amount of time for Shopify to respond to your vulnerability report before publishing details of your exploit\n* Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the Whitehat program without notice at any time.\n\n#Reward Level\nThe rewards for the Shopify whitehat program start at $500 and will escalate based on severity.  \n\n#Indemnification\nShopify will not pursue legal action against security researchers who follow the guidelines outlined in this document and responsibly disclose vulnerabilities to us.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-06-11T17:04:27.008Z"},{"id":1524501,"new_policy":"# Introduction\nShopify's Whitehat program is our way to reward security researchers for finding serious security vulnerabilities in our core application, Shopify.\n\n# Participation\nWe encourage security researchers to sign up for a whitehat partner account, which you can use to create shops and private Shopify apps to use for testing within the testing guidelines. https://app.shopify.com/services/partners/signup/whitehat\n\nPlease use your Whitehat partner account to create shops for testing or add +hackerone to your email address, (e.g. john.doe+hackerone@shopify.com) so we can properly identify your shop. Researchers using accounts that do not follow this rule will not be eligible for rewards under this program.\n\n# Eligibility\nThe scope of the whitehat program is limited to:\n* **Shopify shops, their admin and their API** - This means your whitehat development shop hosted at [your-shop].myshopify.com\n\nAll software components that are used within the Shopify application can be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third-party libraries that we use (such as Ruby gems). Please note that bugs in third-party components only qualify if you can prove that they can be used to successfully attack Shopify.\n* **Shopify Mobile** (iPhone) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-mobile/id371294472?mt=8)\n* **Shopify POS** - Point of Sale for iPhone and iPad (Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-pos-point-sale-for/id686830644?mt=8))\n* **Shopify Mobile** (Android) (Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.mobile\u0026hl=en))\n* **Shopify App Store** - https://apps.shopify.com\n* **Shopify Theme Store** - https://themes.shopify.com\n* **Shopify Experts** - https://experts.shopify.com\n\n**Not in scope:** shopify.asia is operated by a third-party, and is **not** in scope.\n\nReports on the following classes of vulnerability are eligible for reward, unless they are excluded (see the next section). In most cases, we will *only* reward the type of vulnerabilities that are listed below.\n\n* Arbitrary code execution\n* SQL injection\n* Privilege escalation to shop owner (from unauthenticated user, customer, or installed app)\n* Authentication bypass for login to [yourshop].myshopify.com/admin\n* Authentication bypass for app installation\n* Circumvention of permission model for apps or admin users\n* Cross-site request forgery\n* Cross-site scripting - **See the next section for limitations.**\n\n**Known issues or previously reported vulnerabilities**\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. Please do not report any of the following issues. In most cases these issues will be closed as **Not Applicable**.\n\n  * Execution of arbitrary scripts in your own store - Shopify gives merchants complete control over their store front so they can customize it and make it their own. For this reason, we allow javascript to be included throughout the store by store administrators. This means we will reject any submission where the issue being being reported is in the storefront and requires administrator privilege to trigger. **We are only interested in XSS vulnerabilities that can be triggered by unauthorized users, or that occur within the Shopify admin**\n  * Arbitrary file upload to the Shopify CDN.\n  * Execution of arbitrary scripts on the Shopify CDN - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission to the whitehat program where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n  * CSRF access to modify cart\n  * Insecure cookie handling for non-sensitive cookies\n  * CSRF for Login or Logout\n  * Password reset tokens don’t expire when changing email address\n  * Email address change doesn’t require verification\n  * Tab nabbing\n  * Invalid SPF on shopify.com\n  * Insecure “Opening Soon” password\n  * XSS that requires full control of a http header, such as Referer, Host, etc.\n  * User enumeration\n\n#Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program:\n* Denial of Service\n* Social Engineering, including phishing\n* Vulnerabilities in other Shopify Inc. web sites or applications\n* Some server configuration issues\n  Architectural decisions knowingly made by Shopify are not considered as valid submissions to the whitehat program even if there may be a more secure alternative configuration. For example, reporting that www.shopify.com is not using the https protocol will fall in this category. In general, issues that fall in this category will be rejected if we do not plan to implement a fix for them.\n\n#Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n* You may only test against shops you have created\n* You must not attempt to gain access to, or interact with, any shops other than those created by you\n* Rules for reporting must be followed\n* This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists\n* Allow a reasonable amount of time for Shopify to respond to your vulnerability report before publishing details of your exploit\n* Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the Whitehat program without notice at any time.\n\n#Reward Level\nThe rewards for the Shopify whitehat program start at $500 and will escalate based on severity.  \n\n#Indemnification\nShopify will not pursue legal action against security researchers who follow the guidelines outlined in this document and responsibly disclose vulnerabilities to us.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-06-10T16:22:29.178Z"},{"id":1444161,"new_policy":"# Introduction\nShopify's Whitehat program is our way to reward security researchers for finding serious security vulnerabilities in our core application, Shopify.\n\n# Participation\nWe encourage security researchers to sign up for a whitehat partner account, which you can use to create shops and private Shopify apps to use for testing within the testing guidelines. https://app.shopify.com/services/partners/signup/whitehat\n\nPlease use your Whitehat partner account to create shops for testing or add +hackerone to your email address, (e.g. john.doe+hackerone@shopify.com) so we can properly identify your shop. Researchers using accounts that do not follow this rule will not be eligible for rewards under this program.\n\n# Eligibility\nThe scope of the whitehat program is limited to:\n* **Shopify shops, their admin and their API** - This means your whitehat development shop hosted at [your-shop].myshopify.com\n\nAll software components that are used within the Shopify application can be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third-party libraries that we use (such as Ruby gems). Please note that bugs in third-party components only qualify if you can prove that they can be used to successfully attack Shopify.\n* **Shopify Mobile** (iPhone) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-mobile/id371294472?mt=8)\n* **Shopify POS** - Point of Sale for iPhone and iPad (Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-pos-point-sale-for/id686830644?mt=8))\n* **Shopify Mobile** (Android) (Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.mobile\u0026hl=en))\n* **Shopify App Store** - https://apps.shopify.com\n* **Shopify Theme Store** - https://themes.shopify.com\n* **Shopify Experts** - https://experts.shopify.com\n\n**Not in scope:** shopify.asia is operated by a third-party, and is **not** in scope.\n\nReports on the following classes of vulnerability are eligible for reward, unless they are excluded (see the next section). In most cases, we will *only* reward the type of vulnerabilities that are listed below.\n\n* Arbitrary code execution\n* SQL injection\n* Privilege escalation to shop owner (from unauthenticated user, customer, or installed app)\n* Authentication bypass for login to [yourshop].myshopify.com/admin\n* Authentication bypass for app installation\n* Circumvention of permission model for apps or admin users\n* Cross-site request forgery\n* Cross-site scripting - **See the next section for limitations.**\n\n**Known issues or previously reported vulnerabilities**\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. Please do not report any of the following issues. In most cases these issues will be closed as **Not Applicable**.\n\n  * Execution of arbitrary scripts in your own store - Shopify gives merchants complete control over their store front so they can customize it and make it their own. For this reason, we allow javascript to be included throughout the store by store administrators. This means we will reject any submission where the issue being reported requires a store administrator privilege to trigger. **We are only interested in XSS vulnerabilities that can be triggered by unauthorized users.**\n  * Arbitrary file upload to the Shopify CDN.\n  * Execution of arbitrary scripts on the Shopify CDN - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission to the whitehat program where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n  * CSRF access to modify cart\n  * Insecure cookie handling for non-sensitive cookies\n  * CSRF for Login or Logout\n  * Password reset tokens don’t expire when changing email address\n  * Email address change doesn’t require verification\n  * Tab nabbing\n  * Invalid SPF on shopify.com\n  * Insecure “Opening Soon” password\n  * XSS that requires full control of a http header, such as Referer, Host, etc.\n  * User enumeration\n\n#Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program:\n* Denial of Service\n* Social Engineering, including phishing\n* Vulnerabilities in other Shopify Inc. web sites or applications\n* Some server configuration issues\n  Architectural decisions knowingly made by Shopify are not considered as valid submissions to the whitehat program even if there may be a more secure alternative configuration. For example, reporting that www.shopify.com is not using the https protocol will fall in this category. In general, issues that fall in this category will be rejected if we do not plan to implement a fix for them.\n\n#Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n* You may only test against shops you have created\n* You must not attempt to gain access to, or interact with, any shops other than those created by you\n* Rules for reporting must be followed\n* This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists\n* Allow a reasonable amount of time for Shopify to respond to your vulnerability report before publishing details of your exploit\n* Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the Whitehat program without notice at any time.\n\n#Reward Level\nThe rewards for the Shopify whitehat program start at $500 and will escalate based on severity.  \n\n#Indemnification\nShopify will not pursue legal action against security researchers who follow the guidelines outlined in this document and responsibly disclose vulnerabilities to us.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-05-11T18:20:14.721Z"},{"id":1417963,"new_policy":"# Introduction\nShopify's Whitehat program is our way to reward security researchers for finding serious security vulnerabilities in our core application, Shopify.\n\n# Participation\nWe encourage security researchers to sign up for a whitehat partner account, which you can use to create shops and private Shopify apps to use for testing within the testing guidelines. https://app.shopify.com/services/partners/signup/whitehat\n\nPlease use your Whitehat partner account to create shops for testing or add +hackerone to your email address, (e.g. john.doe+hackerone@shopify.com) so we can properly identify your shop. Researchers using accounts that do not follow this rule will not be eligible for rewards under this program.\n\n# Eligibility\nThe scope of the whitehat program is limited to:\n* **Shopify shops, their admin and their API** - This means your whitehat development shop hosted at [your-shop].myshopify.com\n\nAll software components that are used within the Shopify application can be exploited in your attack, including bugs in the Liquid templating engine, its C performance extension, the Ruby interpreter (MRI), the Ruby on Rails framework, as well as third-party libraries that we use (such as Ruby gems). Please note that bugs in third-party components only qualify if you can prove that they can be used to successfully attack Shopify.\n* **Shopify Mobile** (iPhone) - Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-mobile/id371294472?mt=8)\n* **Shopify POS** - Point of Sale for iPhone and iPad (Available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-pos-point-sale-for/id686830644?mt=8))\n* **Shopify Mobile** (Android) (Available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.mobile\u0026hl=en))\n* **Ecommerce University** - https://ecommerce.shopify.com\n* **Shopify App Store** - https://apps.shopify.com\n* **Shopify Theme Store** - https://themes.shopify.com\n* **Shopify Experts** - https://experts.shopify.com\n\n**Not in scope:** shopify.asia is operated by a third-party, and is **not** in scope.\n\nReports on the following classes of vulnerability are eligible for reward, unless they are excluded (see the next section). In most cases, we will *only* reward the type of vulnerabilities that are listed below.\n\n* Arbitrary code execution\n* SQL injection\n* Privilege escalation to shop owner (from unauthenticated user, customer, or installed app)\n* Authentication bypass for login to [yourshop].myshopify.com/admin\n* Authentication bypass for app installation\n* Circumvention of permission model for apps or admin users\n* Cross-site request forgery\n* Cross-site scripting - **See the next section for limitations.**\n\n**Known issues or previously reported vulnerabilities**\n\nThe following vulnerability types have already been reported and triaged, and won't be fixed. Please do not report any of the following issues. In most cases these issues will be closed as **Not Applicable**.\n\n  * Execution of arbitrary scripts in your own store - Shopify gives merchants complete control over their store front so they can customize it and make it their own. For this reason, we allow javascript to be included throughout the store by store administrators. This means we will reject any submission where the issue being reported requires a store administrator privilege to trigger. **We are only interested in XSS vulnerabilities that can be triggered by unauthorized users.**\n  * Arbitrary file upload to the Shopify CDN.\n  * Execution of arbitrary scripts on the Shopify CDN - The Shopify content distribution network (static.shopify.com and cdn.shopify.com) is available for merchants to use, and we encourage our merchants to host anything they want. We will reject any submission to the whitehat program where the issue being reported is that a user or store administrator is able to upload arbitrary files to our CDN or execute javascript in the context of a CDN domain.\n  * CSRF access to modify cart\n  * Insecure cookie handling for non-sensitive cookies\n  * CSRF for Login or Logout\n  * Password reset tokens don’t expire when changing email address\n  * Email address change doesn’t require verification\n  * Tab nabbing\n  * Invalid SPF on shopify.com\n  * Insecure “Opening Soon” password\n  * XSS that requires full control of a http header, such as Referer, Host, etc.\n  * User enumeration\n\n#Ineligible vulnerability types\nShopify does not consider the following to be eligible vulnerabilities under this program:\n* Denial of Service\n* Social Engineering, including phishing\n* Vulnerabilities in other Shopify Inc. web sites or applications\n* Some server configuration issues\n  Architectural decisions knowingly made by Shopify are not considered as valid submissions to the whitehat program even if there may be a more secure alternative configuration. For example, reporting that www.shopify.com is not using the https protocol will fall in this category. In general, issues that fall in this category will be rejected if we do not plan to implement a fix for them.\n\n#Rules for participation\nThe following rules must be followed in order for any rewards to be paid:\n* You may only test against shops you have created\n* You must not attempt to gain access to, or interact with, any shops other than those created by you\n* Rules for reporting must be followed\n* This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists\n* Allow a reasonable amount of time for Shopify to respond to your vulnerability report before publishing details of your exploit\n* Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the Whitehat program without notice at any time.\n\n#Reward Level\nThe rewards for the Shopify whitehat program start at $500 and will escalate based on severity.  \n\n#Indemnification\nShopify will not pursue legal action against security researchers who follow the guidelines outlined in this document and responsibly disclose vulnerabilities to us.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-04-29T18:28:15.407Z"},{"id":1347939,"new_policy":"\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-04-09T18:44:14.662Z"}]