• $50 – $2,500 per vulnerability

Program stats

  • Vulnerabilities rewarded 356
  • Validation within 3 days 75% of submissions are accepted or rejected within 3 days
  • Average payout $321.05 within the last 3 months

Recently joined this program


Please note: This program or engagement does not allow disclosure. You may not release information about vulnerabilities found in this program or engagement to the public.

No technology is perfect and BigCommerce believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our applications. Good luck, and happy hunting!


For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.


  • Only vulnerabilities that are original and first to be reported will be eligible for this program.
  • You are strictly prohibited from exfiltrating data or any other personal information. If you find something that might give you access to any such information, stop and drop us an email here: We will be extremely happy to further investigate the vulnerability on your behalf.
  • Do not attempt or test DoS/DDoS attacks. If you suspect that there is a valid vulnerability which leads to DoS, stop and drop us an email here:
  • The rules set forth below for notifying BigCommerce must be followed.
  • Public disclosure of bugs is strictly prohibited except as expressly agreed-to in writing by BigCommerce.
  • This program is not open to BigCommerce employees.
  • Failure to follow any rules of this program will disqualify you from participation.
  • BigCommerce may in its sole discretion suspend, amend or terminate this program, including any terms, rules or scope. BigCommerce’s decision on whether to pay a bounty is final and in its sole discretion.
  • You waive all rights to content submitted to BigCommerce as part of this program. Upon BigCommerce’s request, you may be required to execute or acknowledge additional instruments to carry out the purpose and intent of this program.
  • You are expected, as always, to comply with all applicable laws.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.