Shopify’s Updated Bug Bounty Calculator
What’s New and Why
We've added new metrics to better describe how much value is gained per attack and whether exploitation can be automated. This helps us (and you) assess impact and urgency with more accuracy. We've also recalibrated bounty awards, with increased payouts for medium severity reports.
What's Different for Researchers
Value Density and Automatable
We replaced the previous scaling metric with two new metrics for vulnerability assessment: Value Density and Automatable.
- Value Density measures the depth of impact, or how much sensitive information or control is gained from a single exploitation event.
- Automatable captures whether the entire attack chain - from discovery to impact - can run unattended across many targets without target-specific manual work.
Previous vulnerability assessments focused solely on the scaling of an attack. The updated approach separates two distinct questions: how much value a single exploit returns, and whether the attack can be reliably automated across many targets. This provides clearer distinction between vulnerabilities with similar theoretical reach but different practical exploitation complexity.
Attack Requirements & Privileges Required
Attack Requirements (AT) is new. Used when a vulnerability only works when specific conditions exist - like feature flags, race conditions, target account state, or specific deployment configurations. This gives us more precision in scoring vulnerabilities that depend on deployment-specific factors rather than security controls.
Privileges Required (PR) focuses on attacker permissions. PR measures what the attacker must already have before exploitation, while AT captures environmental preconditions.
User Interaction
User Interaction is now more precise. Our new calculator has three values for User Interaction: None, Passive, and Active. The new split recognizes the difference between a merchant just browsing their admin (Passive) and making a conscious, deliberate choice to interact with content (Active). Many vulnerabilities previously scored as "Required" - like clicking a phishing link or interacting with a malicious component - now become "Active." The bottom line: more granular scoring that better reflects real-world exploitation difficulty.
Subsequent Systems Impact
The Scope Change metric has evolved into a more nuanced approach in our new calculator. Previously, Scope Change captured whether a vulnerability in one asset could impact another but is now redefined through three distinct Subsequent System impact metrics: Subsequent Confidentiality, Subsequent Integrity, and Subsequent Availability. This separation offers a clearer, more precise assessment of the broader impacts of vulnerabilities.
Our evaluation of what was previously referred to as "scope" continues to follow the same principle: subsequent systems impact occurs when a vulnerability in one asset impacts another asset that it should not have authority over. See our FAQ for more details.
Availability
The Availability metric has now been simplified. High Availability is assigned when a vulnerability results in complete disruption or significant downtime of most or all of a service. Low Availability applies when impact is limited to degraded service or partial downtime.
Using the New Calculator
Visit our updated calculator to see the new calculator in action. The interface looks familiar, but you'll notice:
- More detailed scoring explanations
- Enhanced vector string generation
Questions? Reach out to bugbounty@shopify.com