Shopify

target_in_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
*.shopify.com URL low low low medium
Reports involving *.shopify.com are reviewed on a per case basis for bounty eligibility. Any services operated by a third party without a proof of concept demonstrating impact on *.myshopify.com users will likely be ineligible for a bounty.
Shopify Third Party Apps OTHER critical
Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.
Shopify Third Party Store OTHER critical
You may only test against shops you have created.
accounts.shopify.com URL high high high critical
apps.shopify.com URL low low low medium
Shopify App Store
com.jadedlabs.frenzy APPLE_STORE_APP_ID none low low medium
Arrive iOS app, available in the [iTunes store](https://itunes.apple.com/ca/app/frenzy-buy-sneakers-and-more/id1140572698)
com.jadedpixel.pos APPLE_STORE_APP_ID low low low medium
Shopify POS for iOS, available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-pos-point-sale-for/id686830644?mt=8)
com.jadedpixel.shopify APPLE_STORE_APP_ID low low low medium
Mobile Shopify for iOS, available in the [iTunes store](https://itunes.apple.com/ca/app/shopify-mobile/id371294472?mt=8)
com.shopify.arrive APPLE_STORE_APP_ID none low low medium
Arrive iOS app, available in the [iTunes store](https://itunes.apple.com/ca/app/arrive-package-tracker/id1223471316?mt=8)
com.shopify.mobile GOOGLE_PLAY_APP_ID low low low medium
Mobile Shopify for Android, available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.mobile)
com.shopify.pos GOOGLE_PLAY_APP_ID low low low medium
Shopify POS for Android, available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.pos)
com.shopify.pos.customerview GOOGLE_PLAY_APP_ID low low low medium
Shopify Customer View App for POS, available in the [Play store](https://play.google.com/store/apps/details?id=com.shopify.pos.customerview)
exchange.shopify.com URL none low low medium
experts.shopify.com URL low low low medium
Shopify Experts
https://apps.shopify.com/digital-downloads URL low low low medium
Digital Downloads is an app that can be installed from the Shopify app store https://apps.shopify.com/digital-downloads
https://apps.shopify.com/product-reviews URL none low low medium
After creating a test store, you may install this app from the Shopify app store to test it as well.
https://apps.shopify.com/shopify-widgets URL low low low medium
Buy Button is an app that can be installed from the Shopify app store https://apps.shopify.com/shopify-widgets
https://flow.shopifycloud.com URL none low low medium
Flow is an app that can be installed from the Shopify app store https://apps.shopify.com/flow
https://wholesale.shopifycloud.com/ URL none low low medium
Wholesale is a sales channel which can be installed on your store by visiting `/admin` and clicking the `+` beside `Sales Channels` in the menu on the left.
partners.shopify.com URL high high high critical
themes.shopify.com URL low low low medium
Shopify Theme Store
www.kitcrm.com URL none low none low
Kit can be installed from https://apps.shopify.com/kit
your-store.myshopify.com URL high high high critical
Your development store hosted at `*.myshopify.com`. Create a development store by signing up at https://partners.shopify.com/
Other Shopify Apps OTHER none none low low
Shopify apps otherwise not listed as in scope. These are not eligible for a bounty.
oberlo.com URL none low low medium
https://exchangemarketplace.com/ URL none low low medium
When testing Exchange, be sure to **unpublish** any listings you create after your testing is finished.
google-shopping.shopifycloud.com URL low low low medium
Google Shopping is a sales channel which can added to your store from https://apps.shopify.com/google-shopping
https://sell-on-amazon.shopifycloud.com URL low low low medium
Sell on Amazon is a sales channel which can be installed on your store from https://apps.shopify.com/amazon
https://google-shopping.shopifycloud.com URL low low low medium
Google Shopping is a sales channel which can added to your store from https://apps.shopify.com/google-shopping
https://instagram-commerce.shopifycloud.com URL low low low medium
Instagram Commerce is a sales channel which can be installed on your store from https://apps.shopify.com/instagram
https://messenger-commerce.shopifycloud.com URL low low low medium
Messenger Commerce is a sales channel which can be installed on your store from https://apps.shopify.com/messenger
https://www.kitcrm.com URL low low low medium
Kit can be installed from https://apps.shopify.com/kit
https://apps.shopify.com/advanced-cash-on-delivery URL none low low medium
After creating a test store, you may install this app from the Shopify app store to test it as well.
https://apps.shopify.com/apple-business-chat URL none low low medium
After creating a test store, you may install this app from the Shopify app store to test it as well.
Shopify Developed Apps OTHER low low low medium
Shopify apps and sales channels means everything installed via the following linkhttps://apps.shopify.com/collections/made-by-shopify **EXCEPT Oberlo, Return Magic and Shopify Order Printer App**
Shopify Mobile Applications OTHER low low low medium
Android: https://play.google.com/store/apps/dev?id=8929232438554100687 iOS: https://itunes.apple.com/ca/developer/shopify-inc/id371294475 Note: any services operated by a third party without a proof of concept demonstrating impact on Shopify users will likely be ineligible for a bounty.
exchangemarketplace.com URL low low low medium
Both Exchange's embedded Shopify app and website are eligible for bounty.

target_out_of_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
*.email.shopify.com URL none
Operated by a third party.
*.shopify.io URL none none none none
Other OTHER high high high none
cdn.shopify.com URL none
Shopify allows merchants to upload any file they want on our content delivery network. Being able to upload a file is not a vulnerability, this is the intended functionality.
go.shopify.com URL none none none none
Operated by a third party.
hackerone.com URL none
Please do not use our platform to test HackerOne functionality. You can create your own sandboxed program to do this.
investors.shopify.com URL none none none none
Operated by a third party.
shopify.asia URL none none none none
Operated by a third party.
spotify.com,*.spotify.com URL none none none none
This is Shopify, not Spotify.
Spam OTHER none
livechat.shopify.com URL none
Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed.
community.shopify.com URL none
community.shopify.com is a third party service and not in scope of our bug bounty program. Please do not test this subdomain.
partner-training.shopify.com URL none none low none
Operated by a third party.