Instruction: Reports involving *.shopify.com are reviewed on a per case basis for bounty eligibility, this includes shopifycompass.com. Any services operated by a third party without a proof of concept demonstrating impact on *.myshopify.com users will likely be ineligible for a bounty.
Integrity requirements: low
Max severity: medium
Asset identifier: *.shopifycloud.com
Asset type: URL
Availability requirement: low
Confidentiality requirement: low
Eligible for bounty: true
Eligible for submissions: true
Instruction: *.shopifycloud.com may include developer test or third party applications. For example, devdegree*.shopifycloud.com, vendorvoice.shopifycloud.com, nsolid-test-console.shopifycloud.com. These types of domains are not considered in scope and reports pertaining to them will be closed Informative. If you are unsure about a domain and it looks like a test application, please email us at bugbounty@shopify.com before spending time on it.
Integrity requirements: low
Max severity: medium
Asset identifier: *.shopifykloud.com
Asset type: URL
Availability requirement: low
Confidentiality requirement: low
Eligible for bounty: true
Eligible for submissions: true
Instruction: Shopify Kloud includes all *.shopifykloud.com applications. Please note, there may be developer test or third party applications launched on the domain which may have low security implications for Shopify. If you are unsure about a subdomain on *.shopifykloud.com and it looks like a test application, email us at bugbounty AT shopify.com before spending time on it.
Integrity requirements: low
Max severity: medium
Asset identifier: Shopify Developed Apps
Asset type: OTHER
Availability requirement: low
Confidentiality requirement: low
Eligible for bounty: true
Eligible for submissions: true
Instruction: Shopify apps and sales channels means everything installed via the following link https://apps.shopify.com/collections/made-by-shopify **EXCEPT Oberlo, Return Magic and Shopify Order Printer App**
Integrity requirements: low
Max severity: medium
Asset identifier: Shopify Mobile Applications
Asset type: OTHER
Availability requirement: low
Confidentiality requirement: low
Eligible for bounty: true
Eligible for submissions: true
Instruction: Android: https://play.google.com/store/apps/dev?id=8929232438554100687
iOS: https://itunes.apple.com/ca/developer/shopify-inc/id371294475
Note: any services operated by a third party without a proof of concept demonstrating impact on Shopify users will likely be ineligible for a bounty.
Integrity requirements: low
Max severity: medium
Asset identifier: Shopify Scripts Platform
Asset type: OTHER
Availability requirement: low
Confidentiality requirement: low
Eligible for bounty: true
Eligible for submissions: true
Instruction: Learn how to get started hacking on the the Shopify Scripts Platform here:
https://github.com/Shopify/bugbounty-resources/blob/master/scripts_platform.md
Integrity requirements: low
Max severity: medium
Asset identifier: Shopify Third Party Apps
Asset type: OTHER
Availability requirement: low
Confidentiality requirement: low
Eligible for bounty:
Eligible for submissions: true
Instruction: Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.
Integrity requirements: low
Max severity: medium
Asset identifier: Shopify Third Party Store
Asset type: OTHER
Availability requirement: low
Confidentiality requirement: low
Eligible for bounty:
Eligible for submissions: true
Instruction: You may only test against shops you have created.
Integrity requirements: low
Max severity: medium
Asset identifier: accounts.shopify.com
Asset type: URL
Availability requirement: medium
Confidentiality requirement: medium
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements: medium
Max severity: critical
Asset identifier: arrive-server.shopifycloud.com
Asset type: URL
Availability requirement: medium
Confidentiality requirement: medium
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements: medium
Max severity: critical
Asset identifier: exchangemarketplace.com
Asset type: URL
Availability requirement: low
Confidentiality requirement: low
Eligible for bounty: true
Eligible for submissions: true
Instruction: Both Exchange's embedded Shopify app and website are eligible for bounty.
Integrity requirements: low
Max severity: medium
Asset identifier: linkpop.com
Asset type: URL
Availability requirement: low
Confidentiality requirement: low
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements: low
Max severity: medium
Asset identifier: partners.shopify.com
Asset type: URL
Availability requirement: medium
Confidentiality requirement: medium
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements: medium
Max severity: critical
Asset identifier: shop.app
Asset type: URL
Availability requirement: medium
Confidentiality requirement: medium
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements: medium
Max severity: critical
Asset identifier: shopify.plus
Asset type: URL
Availability requirement: medium
Confidentiality requirement: medium
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements: medium
Max severity: critical
Asset identifier: shopifyinbox.com
Asset type: URL
Availability requirement: low
Confidentiality requirement: low
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements: low
Max severity: medium
Asset identifier: your-store.myshopify.com
Asset type: URL
Availability requirement: medium
Confidentiality requirement: medium
Eligible for bounty: true
Eligible for submissions: true
Instruction: Your development store hosted at `*.myshopify.com`. Create a development store by signing up at https://partners.shopify.com/
