BigCommerce

Let's work together to secure E-commerce for a new era

  • $50 – $2,500 per vulnerability
Submit report

Post Easter BigCommerce Bounty Hunting

We are pleased to announce BigCommerce is now offering bonuses starting as of April 12, 2021 and will end on April 26, 2021

Dear Researchers,

Hope everyone is keeping safe. Thanks a lot for your continued interest in participating in our Bug Bounty Program. We at BigCommerce are delighted to have you all on our side and help us in securing BigCommerce.

We are reaching out to announce our new Post Easter Bounty Hunting Bonus program. The program will start on 12th of April 2021, 18:00 hours PST to 26th of April 2021, 18:00 hours PST.

Additional Scope:

We're excited to announce that users can opt-in to use two-factor authentication (2FA) when logging into the BigCommerce control panel, via the Authy app. This security feature is currently in beta, and is expected to be fully rolled out in the coming months. We wanted to let you have the advantage of testing this beta feature.

More details on how to add 2FA to your store:
https://support.bigcommerce.com/s/blog-article/aAn4O000000CdKuSAK/twofactor-authentication-for-users

Bonus:

During this period, every 2FA related vulnerability will be awarded 1.5x bounty
The first P1 that gets accepted from the time this announcement is made, gets 1.5x bounty
If you have never submitted a vulnerability on our platform before, your first accepted vulnerability will receive a 1.25x bounty
The first SSRF/LFI vulnerability to be reported anywhere in the platform will be awarded 1.5x bounty

Ground rules:

  1. When you are testing 2FA, any URLs which are not in *.mybigcommerce.com are Out of Scope
  2. Authy Desktop/Mobile app and any authy related URLs are strictly out of scope.
  3. If the vulnerability does not meet above criteria, it will receive a normal bounty
  4. Please consider the decisions made by BigCommerce security team as final
  5. While testing 2FA please don’t use aggressive rate limit bypass techniques. No social engineering/DDOS.
  6. Please remember to register your store using a @bugcrowdninja.com email address
  7. All rules mentioned in the original Scope apply.

Once again, thank you for your interest in keeping us secure.

Note, bonuses are subject to change. If you have any questions, please reach out to support@bugcrowd.com.

Happy Hacking!
BigCommerce Security

Abhijeth-BigCommerce
Abhijeth-BigCommerce