Shopify Bug Bounty

We take merchant trust and safety very seriously. Our maximum bounty of $200,000 reflects that.

Last Updated: February 19, 2026 at 3:00 AM UTC

Program statistics

These statistics may vary from those reported by HackerOne due to differences in data collection and reporting criteria.

USD 8,555,628

Total bounties paid

USD 216,075

Total bounties paid this year

USD 36,600

Total bounties paid this month

1,139

Reports received in the last 90 days

2,340

Total Reports Resolved To Date

Submit a vulnerability

1

Review rules and/or scope

Start by exploring our scope, eligibility and known issues to understand how to discover vulnerabilities effectively.

2

Submit report

Once you’ve identified a vulnerability, submit your report to us for review.

3

Keep up with the process

Stay informed throughout the process of our Bug Bounty workflow.

Resources

Shopify’s Updated Bug Bounty Calculator

Our vulnerability scoring just got sharper.

Read now 

A Look Inside Our Bug Bounty Process

Discover the journey your report takes from submission to resolution.

Read now 

Getting Started in our Bug Bounty Program

Learn the first steps to take in our program, including creating an account and testing guidelines.

Read now