BigCommerce

  • $50 – $2,500 per vulnerability

BigCommerce Bug Bounty scope changes

Dear Researchers,

BigCommerce is a flexible, open SaaS platform built to explore limitless possibilities to Innovate and Grow your E-commerce business. We aim our customers to build their business seamlessly by providing them all the tools that they need. While doing so, we believe Security plays a major role and we are delighted to let you know that you all have played a major role in improving our Security posture.

Since we launched the program a few months ago, we have had tremendous response from all of you and would like to thank everyone who has submitted a vulnerability. We wanted to take a moment and publicly give a shout out to our top researchers cthulhufhtagn and mert. We also wanted to take an opportunity to inform you about the changes we are making to the scope going forward.

As of 16th of February 23:59 PST, all types of CSRF and XSS vulnerabilities will be classified based on the following risk ranking. Due to the nature of our platform, we currently are aware of the ability to inject malicious JS using various HTML editors. We will also be updating our Known issues list to reflect that.

Type of vulnerability Attacker Victim Risk rating
CSRF Storefront Storefront P3/P4
CSRF Control Panel Control Panel P4
CSRF Storefront Control Panel P3/P4
CSRF Control Panel Storefront P4/Known issue
CSRF Other apps Other apps P4
Client side script Injection such as XSS, CSTI, HTML injection etc Storefront Control Panel P3/P4
Client side script Injection such as XSS, CSTI, HTML injection etc Storefront Storefront P3/P4
Client side script Injection such as XSS, CSTI, HTML injection etc Control panel Control Panel P4/Known issue
Client side script Injection such as XSS, CSTI, HTML injection etc Control panel Storefront P4
Client side script Injection such as XSS, CSTI, HTML injection etc Other apps Other apps P4

Control Panel:https://STORE-YOURSTOREHash.mybigcommerce.com/
Storefront: https://YOUR-TESTING-STORE.mybigcommerce.com/

A gentle reminder to only create trial stores using @bugcrowdninja.com email addresses. Any testing performed on stores with other email addresses will be deleted and you might lose all of your testing data.

Once again, we would like to thank you for your interest in testing our platform. If you haven't started testing us or have further questions, please reach out to support@bugcrowd.com

Cheers
BigCommerce Security