Shopify icon Shopify HackerOne

Target Policy
https://hackerone.com/shopify?type=team
Structured Scope
  • Asset Identifier
    Asset Type
    Max Severity
  • admin.shopify.com

    Environment: Core

    URL
    critical
  • exchangemarketplace.com

    Both Exchange's embedded Shopify app and website are eligible for bounty.

    URL
    medium
  • investors.shopify.com

    Environment: Non-core

    Operated by a third party.

    URL
    none
  • Shopify Scripts Platform

    Learn how to get started hacking on the the Shopify Scripts Platform here:
    https://github.com/Shopify/bugbounty-resources/blob/master/scripts_platform.md

    OTHER
    medium
  • Other

    Environment: Non-core

    OTHER
    none
  • cdn.shopify.com

    Environment: Non-core

    Shopify allows merchants to upload any file they want on our content delivery network. Being able to upload a file is not a vulnerability, this is the intended functionality.

    URL
    none
  • shopify.plus

    Environment: Core

    URL
    critical
  • http://*.shopify.com

    Reports involving *.shopify.com are reviewed on a per case basis for bounty eligibility, this includes shopifycompass.com. Any services operated by a third party without a proof of concept demonstrating impact on *.myshopify.com users will likely be ineligible for a bounty.

    WILDCARD
    medium
  • http://*.shopifykloud.com

    Shopify Kloud includes all *.shopifykloud.com applications. Please note, there may be developer test or third party applications launched on the domain which may have low security implications for Shopify. If you are unsure about a subdomain on *.shopifykloud.com and it looks like a test application, email us at bugbounty AT shopify.com before spending time on it.

    WILDCARD
    medium
  • http://*.shopifycloud.com

    *.shopifycloud.com may include developer test or third party applications. For example, devdegree*.shopifycloud.com, vendorvoice.shopifycloud.com, nsolid-test-console.shopifycloud.com. These types of domains are not considered in scope and reports pertaining to them will be closed Informative. If you are unsure about a domain and it looks like a test application, please email us at bugbounty@shopify.com before spending time on it.

    WILDCARD
    medium
  • *.email.shopify.com

    Environment: Non-core

    Operated by a third party.

    WILDCARD
    none
  • shop.app

    Environment: Core

    URL
    critical
  • linkpop.com

    Environment: Non-core

    URL
    medium
  • arrive-server.shopifycloud.com

    Environment: Core

    URL
    critical
  • shopifyinbox.com

    Environment: Non-core

    URL
    medium
  • partners.shopify.com

    Environment: Core

    URL
    critical
  • accounts.shopify.com

    Environment: Core

    URL
    critical
  • livechat.shopify.com

    Environment: Non-core

    Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed.

    URL
    none
  • *.shopify.io

    Environment: Non-core

    *.shopify.io may include developer test or third party applications. If you are unsure about a domain and it looks like a test or third party application, please email us at bugbounty@shopify.com before spending time on it.

    WILDCARD
    medium
  • *.shopifykloud.com

    Environment: Non-core

    Shopify Kloud includes all *.shopifykloud.com applications. Please note, there may be developer test or third party applications launched on the domain which may have low security implications for Shopify. If you are unsure about a subdomain on *.shopifykloud.com and it looks like a test application, email us at bugbounty AT shopify.com before spending time on it.

    WILDCARD
    medium
  • *.shopifycs.com

    Environment: Non-core

    Shopify's service for handling credit card data in a PCI compliant way.

    WILDCARD
    critical
  • https://github.com/Shopify/*

    Environment: Non-core

    Public repositories available under the Shopify organization in Github.

    SOURCE_CODE
    medium
  • *.pci.shopifyinc.com

    Environment: Core

    WILDCARD
    critical
  • *.shopify.com

    Environment: Non-core

    Reports involving *.shopify.com are reviewed on a per case basis for bounty eligibility, this includes shopifycompass.com. Any services operated by a third party without a proof of concept demonstrating impact on *.myshopify.com users will likely be ineligible for a bounty.

    WILDCARD
    medium
  • Shopify Third Party Store

    Environment: Non-core

    You may only test against shops you have created.

    OTHER
    medium
  • Shopify Mobile Applications

    Environment: Non-core

    Android: https://play.google.com/store/apps/dev?id=8929232438554100687
    iOS: https://itunes.apple.com/ca/developer/shopify-inc/id371294475

    Note: any services operated by a third party without a proof of concept demonstrating impact on Shopify users will likely be ineligible for a bounty.

    OTHER
    critical
  • Shopify Third Party Apps

    Environment: Non-core

    Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.

    OTHER
    medium
  • Shopify Developed Apps

    Environment: Non-core

    Shopify apps and sales channels means everything installed via the following link https://apps.shopify.com/collections/made-by-shopify

    OTHER
    medium
  • *.shopifycloud.com

    Environment: Non-core

    *.shopifycloud.com may include developer test or third party applications. For example, devdegree*.shopifycloud.com, vendorvoice.shopifycloud.com, nsolid-test-console.shopifycloud.com. These types of domains are not considered in scope and reports pertaining to them will be closed Informative. If you are unsure about a domain and it looks like a test application, please email us at bugbounty@shopify.com before spending time on it.

    WILDCARD
    medium
  • your-store.myshopify.com

    Environment: Core

    Your development store hosted at `*.myshopify.com`. Create a development store by signing up at https://partners.shopify.com/

    URL
    critical
  • Spam
    OTHER
    none
  • spotify.com,*.spotify.com

    We are Shopify, not Spotify.

    WILDCARD
    none
  • shopify.asia

    Operated by a third party.

    URL
    none
  • go.shopify.com

    Operated by a third party.

    URL
    none
  • hackerone.com

    Please do not use our platform to test HackerOne functionality. You can create your own sandboxed program to do this.

    URL
    none
  • partner-training.shopify.com

    Operated by a third party.

    URL
    none
  • community.shopify.com

    Environment: Non-core

    community.shopify.com is a third party service and not in scope of our bug bounty program. Please do not test this subdomain.

    URL
    none
Target Scope Domains
  • accounts.shopify.com
  • admin.shopify.com
  • arrive-server.shopifycloud.com
  • exchangemarketplace.com
  • linkpop.com
  • partners.shopify.com
  • pci.shopifyinc.com
  • shop.app
  • shopify.com
  • shopify.io
  • shopify.plus
  • shopifycloud.com
  • shopifycs.com
  • shopifyinbox.com
  • shopifykloud.com
  • your-store.myshopify.com
Domain Scope
  • shopifykloud.com
  • shopify.com
  • shopifycloud.com
  • exchangemarketplace.com
Tech Stack
Last Finished Scan:
Scan Name
Fleet
Finished
State
auto-gausubs-2-kcrlf
allkxss
1 week, 2 days ago
Finished
auto-gausubs-2-kcrlf
  • Fleet: allkxss
  • Duration: 21 Seconds
  • Finished: 1 week, 2 days ago