Security News > 2021 > July > Compsci student walks off with $50,000 after bug bounty report blows gaping hole in Shopify software repos

Compsci student walks off with $50,000 after bug bounty report blows gaping hole in Shopify software repos
2021-07-27 12:14

Shopify has forked out $50,000 in a bug bounty payment to computer science student Augusto Zanellato following the discovery of a publicly available access token which gave world+dog read-and-write access to the company's source code repositories.

"I found out that the user in question was a member of the Shopify organisation and that he had push and pull access to all the private Shopify repositories."

Following private disclosure, now released publicly, via the HackerOne bug bounty platform, the company revoked the access token within 24 hours and granted the vulnerability a CVSS severity score of 10 - the highest possible.

"We addressed this issue immediately after receiving this report by revoking the GitHub Personal Access Token," Jack McCracken, senior application security engineer at Shopify, wrote in a follow-up to the report.

In its own summary, Shopify notes that an audit of access logs confirmed "No unauthorised activity" relating to the access token had occurred.

A severe vulnerability deserves a hefty payout, and Shopify surprised Zanellato with its generosity on that front: the company paid out an impressive $50,000 for his responsible disclosure, made six months ago - the maximum it offers in its bug bounty programme, which averages $500-750 per bounty.


News URL

https://go.theregister.com/feed/www.theregister.com/2021/07/27/shopify_bug_bounty_payout/