BigCommerce
- $50 – $2,500 per vulnerability
BigCommerce Bug Bounty scope changes
Dear Researchers,
BigCommerce is a flexible, open SaaS platform built to explore limitless possibilities to Innovate and Grow your E-commerce business. We aim our customers to build their business seamlessly by providing them all the tools that they need. While doing so, we believe Security plays a major role and we are delighted to let you know that you all have played a major role in improving our Security posture.
Since we launched the program a few months ago, we have had tremendous response from all of you and would like to thank everyone who has submitted a vulnerability. We wanted to take a moment and publicly give a shout out to our top researchers cthulhufhtagn and mert. We also wanted to take an opportunity to inform you about the changes we are making to the scope going forward.
As of 16th of February 23:59 PST, all types of CSRF and XSS vulnerabilities will be classified based on the following risk ranking. Due to the nature of our platform, we currently are aware of the ability to inject malicious JS using various HTML editors. We will also be updating our Known issues list to reflect that.
| Type of vulnerability | Attacker | Victim | Risk rating |
|---|---|---|---|
| CSRF | Storefront | Storefront | P3/P4 |
| CSRF | Control Panel | Control Panel | P4 |
| CSRF | Storefront | Control Panel | P3/P4 |
| CSRF | Control Panel | Storefront | P4/Known issue |
| CSRF | Other apps | Other apps | P4 |
| Client side script Injection such as XSS, CSTI, HTML injection etc | Storefront | Control Panel | P3/P4 |
| Client side script Injection such as XSS, CSTI, HTML injection etc | Storefront | Storefront | P3/P4 |
| Client side script Injection such as XSS, CSTI, HTML injection etc | Control panel | Control Panel | P4/Known issue |
| Client side script Injection such as XSS, CSTI, HTML injection etc | Control panel | Storefront | P4 |
| Client side script Injection such as XSS, CSTI, HTML injection etc | Other apps | Other apps | P4 |
Control Panel:https://STORE-YOURSTOREHash.mybigcommerce.com/
Storefront: https://YOUR-TESTING-STORE.mybigcommerce.com/
A gentle reminder to only create trial stores using @bugcrowdninja.com email addresses. Any testing performed on stores with other email addresses will be deleted and you might lose all of your testing data.
Once again, we would like to thank you for your interest in testing our platform. If you haven't started testing us or have further questions, please reach out to support@bugcrowd.com
Cheers
BigCommerce Security
