Getting Started in our Bug Bounty Program

Welcome to the Shopify Bug Bounty program and thank you for your interest in keeping Shopify secure and making commerce better for everyone!

Table of contents

• Steps to Get Started
1. Review Policies
2. Understand Scope
3. Create a HackerOne Account
4. Use the HackerOne Email Alias
5. Create a Testing Account
6. Consult the Shopify Help Center
• Contact Information & Notes

Steps to Get Started

1. Review and understand Shopify’s bug bounty policy in HackerOne at https://hackerone.com/shopify and on this page. Deviation from this policy can result in reports being closed as Not Applicable and/or your disqualification from the Shopify bug bounty program.
2. Review and understand scope presented in Shopify’s bug bounty page on HackerOne at https://hackerone.com/shopify and on this page. Deviation from the scope can result in reports being closed as Not Applicable and/or your disqualification from the Shopify bug bounty program.
3. Sign up for HackerOne account by following the instructions in HackerOne documentation https://docs.hackerone.com/en/articles/8365247-create-an-account.
4. Familiarize yourself with the @wearehackerone.com email alias which must be used when creating a Shopify account. This alias is provided by HackerOne and you can learn more about it in their documentation here https://docs.hackerone.com/en/articles/8404308-hacker-email-alias.
5. Create an account for bug bounty testing on the Shopify platform by visiting https://partners.shopify.com/signup/bugbounty and following the registration steps. You must test only against stores you have created. Testing against live merchants is prohibited and can result in reports being closed as Not Applicable and/or your disqualification from the Shopify bug bounty program.

Contact Information & Notes

1. Consult Shopify Help Center at https://help.shopify.com/ for further information on how to build a store and to discover platform features.

You may report a vulnerability through our bug bounty program at https://hackerone.com/shopify. For information on how to submit a report please review HackerOne’s documentation on doing so which can be found at https://docs.hackerone.com/en/articles/8473994-submitting-reports.

For questions related to scope you may email bugbounty@shopify.com. Vulnerability reports or potential vulnerability reports will not be discussed over email, all discussions will be conducted through the HackerOne platform. Vulnerability reports will only be evaluated if they are submitted through the HackerOne platform.