Updates on Shopify’s Bug Bounty Program

For three years we, Shopify’s Application Security team, have set aside time to reflect on our bug bounty program and share recent insights. This past year has been quite a ride, as our program has been busier than ever! We’re excited to share what we have learned, and share some of the great things we have planned!

Jenn Newton
11 min readintermediate
--
View Original

Overview

The article provides updates on Shopify's Bug Bounty Program, highlighting recent achievements, changes in bounty calculations, and plans for 2021. It emphasizes the importance of collaboration with ethical hackers and the program's commitment to security and transparency.

What You'll Learn

1

How to participate in Shopify's Bug Bounty Program effectively

2

Why using the Common Vulnerability Scoring System (CVSS) improves bounty fairness

3

How to leverage the GraphQL Hacking Guide for better vulnerability discovery

Prerequisites & Requirements

  • Understanding of ethical hacking principles
  • Familiarity with HackerOne platform(optional)

Key Questions Answered

What are the recent highlights of Shopify's Bug Bounty Program?
Recently, Shopify's Bug Bounty Program has seen increased activity with over 3,000 reports submitted in 2020, a significant rise from 1,379 in 2019. The program also hosted the H1-2102 Virtual Live Hacking Event, resulting in 83 valid reports and over $220,000 paid in bounties.
How does Shopify determine bounty payments?
Shopify transitioned to using the Common Vulnerability Scoring System (CVSS) for calculating bounty payments, which enhances transparency and fairness. This method allows hackers to understand the metrics behind their scores, ensuring bounties reflect the real-world impact of vulnerabilities.
What improvements were made to the Bug Bounty Program in 2021?
In 2021, Shopify established a dedicated Bug Bounty Team to improve response times and manage the increased volume of reports. This team aims to reduce duplicate submissions and enhance overall program efficiency, ensuring a more responsive experience for hackers.
What statistics reflect the performance of Shopify's Bug Bounty Program in 2020?
In 2020, Shopify awarded over $460,000 in bounties, a significant increase from approximately $130,000 in 2019. The program received 3,093 reports, with notable spikes in April and September, coinciding with major disclosures.

Key Statistics & Figures

Total bounties paid in 2020
$460,000
This reflects a significant increase from approximately $130,000 in 2019.
Number of reports submitted in 2020
3,093
This is a substantial rise from 1,379 reports in the previous year.
Maximum bounty amount
$50,000
This maximum was increased at the beginning of 2020 to attract more skilled hackers.

Technologies & Tools

Some links below are affiliate links. We may earn a commission if you make a purchase.

Security
Common Vulnerability Scoring System
Used for calculating bounty payments to ensure fairness and transparency.
API
Graphql
Central to Shopify's applications, with resources provided to help hackers test effectively.

Key Actionable Insights

1
Participating in live hacking events can significantly enhance your visibility and reputation in the ethical hacking community.
Shopify's H1-2102 Virtual Live Hacking Event attracted top talent and resulted in numerous valid reports, showcasing the benefits of collaboration and engagement with the program.
2
Utilizing the CVSS for bounty calculations can lead to more objective discussions about vulnerability impacts.
This approach not only improves transparency but also helps hackers understand how their findings are valued, fostering a more collaborative environment.
3
Regularly monitor Shopify's Changelog for updates and new functionality that may present new testing opportunities.
By staying informed about changes, hackers can focus their efforts on areas that are more likely to yield valuable vulnerabilities.

Common Pitfalls

1
Failing to follow up on hacker inquiries can lead to dissatisfaction and decreased engagement.
Shopify recognized this issue and is developing tools to ensure timely follow-ups on reports, which is crucial for maintaining a positive relationship with the hacker community.

Related Concepts

Ethical Hacking
Vulnerability Disclosure
Bug Bounty Programs
Common Vulnerability Scoring System (cvss)