Authentication and Accounts Campaign - June 8 to June 26

1.25–2× payouts on auth bypass, MFA, OAuth/SSO/SAML, session management, and account takeover. Public, 3-week window.

Starting soon

Shopify Bug Bounty

We take merchant trust and safety very seriously. Our maximum bounty of $200,000 reflects that.

Last Updated: June 6, 2026 at 9:00 PM UTC

Program statistics

These statistics may vary from those reported by HackerOne due to differences in data collection and reporting criteria.

USD 9,352,923

Total bounties paid

USD 739,170

Total bounties paid this year

USD 149,350

Total bounties paid this month

1,526

Reports received in the last 90 days

2,407

Total Reports Resolved To Date

Submit a vulnerability

1

Review rules and/or scope

Start by exploring our scope, eligibility and known issues to understand how to discover vulnerabilities effectively.

2

Submit report

Once you’ve identified a vulnerability, submit your report to us for review.

3

Keep up with the process

Stay informed throughout the process of our Bug Bounty workflow.

Resources

Shopify’s Updated Bug Bounty Calculator

Our vulnerability scoring just got sharper.

Read now 

A Look Inside Our Bug Bounty Process

Discover the journey your report takes from submission to resolution.

Read now 

Getting Started in our Bug Bounty Program

Learn the first steps to take in our program, including creating an account and testing guidelines.

Read now