shopify_app 13.0.1 → 13.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c32f23c198e7bfcc44d3557857c11194ce71f2dc8a1a42ff0d220569c4eb4599
-  data.tar.gz: cf430f7fb26c01592d68d5110a5690f290452ab18c5853dcc4602c5f1d5c0521
+  metadata.gz: 3f4300bbcbbf4e0e2c6b64d3943a83f8eda2774615016551b109880b21cb32d6
+  data.tar.gz: 68eca06abf0153e592b7a167bcaf0b60720213e351355737c59eafba01f65e82
 SHA512:
-  metadata.gz: 4af6eb8ff59c68d9bc1089c577d90d40cfa2997550331314e90f620580da62898000e2b7568616b077fa15080878d0e8ddc9a09160490dea3a4ce719f4e814cd
-  data.tar.gz: b3cf9731363e7df4b3cc78f057bd96204f25f9ab2832662e2cc7e98a3e52ad98ef68d142bcca6d9c96d232eac2cc1dbc2518a41d364f1470247100c2eddd92fc
+  metadata.gz: 9052491aa073afeacbb8cc6dc5bd6e12fe73c4935ed36e823ed5b3966df8c240d1e1a48e9adf02444c79e4aacada04b85e0de8184ea8148b9227589ef600fc6c
+  data.tar.gz: a78d6b3a5fb2a02c3122afabd2a4b2e564f5e5d0c7cb530622004e39143f695e0fbb804a9be20379a245e600330e08e3e8837dfb9dafe0ad8ceeade613c07c3d

data/.github/workflows/rubocop.yml

@@ -0,0 +1,28 @@
+name: RuboCop
+
+on: [push, pull_request]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby 2.7
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.7
+    - name: Cache gems
+      uses: actions/cache@v1
+      with:
+        path: vendor/bundle
+        key: ${{ runner.os }}-rubocop-${{ hashFiles('**/Gemfile.lock') }}
+        restore-keys: |
+          ${{ runner.os }}-rubocop-
+    - name: Install gems
+      run: |
+        bundle config path vendor/bundle
+        bundle config set without 'default development test'
+        bundle install --jobs 4 --retry 3
+    - name: Run RuboCop
+      run: bundle exec rubocop --parallel

data/.rubocop.yml

@@ -2,10 +2,10 @@ inherit_gem:
     rubocop-shopify: rubocop.yml
 
 AllCops:
-  TargetRubyVersion: 2.4
+  TargetRubyVersion: 2.7
   Exclude:
-    - 'lib/generators/**/*'
     - 'test/tmp/**/*'
+    - 'vendor/bundle/**/*'
 
 Style/MethodCallWithArgsParentheses:
   Exclude:

data/.travis.yml

@@ -13,9 +13,10 @@ cache:
   yarn: true
 
 rvm:
-  - 2.4.3
-  - 2.5.0
-  - 2.6.2
+  - 2.4
+  - 2.5
+  - 2.6
+  - 2.7
 
 install:
   - bundle install

data/CHANGELOG.md

@@ -1,8 +1,35 @@
+13.4.0
+------
+* Skip CSRF protection if a valid signed JWT token is present as we trust Shopify to be the only source that can sign it securely. [#994](https://github.com/Shopify/shopify_app/pull/994)
+
+13.3.0
+------
+* Added Payload Verification module [#992](https://github.com/Shopify/shopify_app/pull/992)
+* Add concern to check for valid shop domains in the unauthenticated controller
+
+13.2.0
+------
+* Get current shop domain from JWT header
+* Validate that the omniauth data matches the JWT data
+* Persist the token information to the session store
+
+13.1.1
+------
+* Update browser_sniffer to 1.2.2
+
+13.1.0
+------
+* Adds the shop URL as a parameter when redirecting after the callback
+* Bump minimum Ruby version to 2.4
+* Bug fixes
+
 13.0.1
 ------
 * Small addition to WebhookJob to return if the shop is nil #952
 * Added Rubocop to the Repo #948
 * Added a WebhookVerification test helper #950
+* Fix for deprecation warning while loading session storage at startup
+* Changes that will allow future JWT authentication
 
 13.0.1
 ------

data/Gemfile

@@ -6,4 +6,6 @@ gemspec
 
 gem 'rails-controller-testing', group: :test
 
-gem 'rubocop-shopify', require: false
+group :rubocop do
+  gem 'rubocop-shopify', require: false
+end

data/README.md

@@ -8,7 +8,7 @@ Shopify App
 
 Shopify Application Rails engine and generator
 
-#### NOTE : Versions 8.0.0 through 8.2.3 contained a CSRF vulnerability that was addressed in version 8.2.4. Please update to version 8.2.4 if you're using an old version.
+#### NOTE: Versions 8.0.0 through 8.2.3 contained a CSRF vulnerability that was addressed in version 8.2.4. Please update to version 8.2.4 if you're using an old version.
 
 Table of Contents
 -----------------
@@ -32,9 +32,9 @@ Table of Contents
 
 Introduction
 -----------
-Get started with the [Shopify Admin API](https://help.shopify.com/en/api/getting-started) faster; This gem includes a Rails Engine and generators for writing Rails applications using the Shopify API. The Engine provides a SessionsController and all the required code for authenticating with a shop via Oauth (other authentication methods are not supported).
+Get started with the [Shopify Admin API](https://help.shopify.com/en/api/getting-started) faster; This gem includes a Rails Engine and generators for writing Rails applications using the Shopify API. The Engine provides a SessionsController and all the required code for authenticating with a shop via OAuth (other authentication methods are not supported).
 
-*Note: It's recommended to use this on a new Rails project, so that the generator won't overwrite/delete your files.*
+*Note: It's recommended to use this on a new Rails project so that the generator won't overwrite/delete your files.*
 
 Learn how to create and deploy a new Shopify App to Heroku with our [quickstart guide](https://github.com/Shopify/shopify_app/blob/master/docs/Quickstart.md), or dive in in less than 5 minutes with this quickstart video:
 
@@ -42,7 +42,7 @@ Learn how to create and deploy a new Shopify App to Heroku with our [quickstart
 
 Become a Shopify App Developer
 --------------------------------
-To become a Shopify App Developer you'll need a [Shopify Partner account.](http://shopify.com/partners) If you don't have a Shopify Partner account, head to http://shopify.com/partners to create one before you start.
+To become a Shopify App Developer, you'll need a [Shopify Partner account.](http://shopify.com/partners) If you don't have a Shopify Partner account, head to http://shopify.com/partners to create one before you start.
 
 Once you have a Partner account, [create a new application in the Partner Dashboard](https://help.shopify.com/en/api/tools/partner-dashboard/your-apps) to get an API key and other API credentials.
 
@@ -50,7 +50,7 @@ To create an application for development set your new app's `App URL` to the URL
 
 Installation
 ------------
-To get started add `shopify_app` to your Gemfile and run `bundle install`:
+To get started, add `shopify_app` to your Gemfile and run `bundle install`:
 
 ``` sh
 # Create a new rails app
@@ -58,8 +58,7 @@ $ rails new my_shopify_app
 $ cd my_shopify_app
 
 # Add the gem shopify_app to your Gemfile
-$ echo "gem 'shopify_app'" >> Gemfile
-$ bundle install
+$ bundle add shopify_app
 ```
 
 Now we are ready to run any of the [generators](#generators) included with `shopify_app`. The following section explains the generators and what you can do with them.
@@ -67,7 +66,7 @@ Now we are ready to run any of the [generators](#generators) included with `shop
 
 #### Rails Compatibility
 
-The lastest version of shopify_app is compatible with Rails `>= 5`. Use version `<= v7.2.8` if you need to work with Rails 4.
+The latest version of shopify_app is compatible with Rails `>= 5`. Use version `<= v7.2.8` if you need to work with Rails 4.
 
 
 Generators
@@ -94,26 +93,22 @@ SHOPIFY_API_SECRET=your api secret
 
 These values can be found on the "App Setup" page in the [Shopify Partners Dashboard][dashboard]. If you are checking your code into a code repository, ensure your `.gitignore` prevents your `.env` file from being checked into any publicly accessible code.
 
-**You will need to load the ENV variables into your enviroment, you can do this with the [dot-env](https://github.com/bkeepers/dotenv) gem or any other method you wish to.**
+**You will need to load the ENV variables into your environment, you can do this with the [dot-env](https://github.com/bkeepers/dotenv) gem or any other method you wish to.**
 
 ### Install Generator
 
 ```sh
-$ rails generate shopify_app:install
-
-# or optionally with arguments:
-
 $ rails generate shopify_app:install
 ```
 
-Other options include:
+Options include:
 * `application_name` - the name of your app, it can be supplied with or without double-quotes if a whitespace is present. (e.g. `--application_name Example App` or `--application_name "Example App"`)
-* `scope` - the Oauth access scope required for your app, eg **read_products, write_orders**. *Multiple options* need to be delimited by a comma-space, and can be supplied with or without double-quotes
+* `scope` - the OAuth access scope required for your app, e.g. **read_products, write_orders**. *Multiple options* need to be delimited by a comma-space and can be supplied with or without double-quotes
 (e.g. `--scope read_products, write_orders, write_products` or `--scope "read_products, write_orders, write_products"`)
 For more information, refer the [docs](http://docs.shopify.com/api/tutorials/oauth).
 * `embedded` - the default is to generate an [embedded app](http://docs.shopify.com/embedded-app-sdk), if you want a legacy non-embedded app then set this to false, `--embedded false`
 
-You can update any of these settings later on easily, the arguments are simply for convenience.
+You can update any of these settings later on easily; the arguments are simply for convenience.
 
 The generator adds ShopifyApp and the required initializers to the host Rails application.
 
@@ -126,7 +121,7 @@ After running the `install` generator, you can start your app with `bundle exec
 $ rails generate shopify_app:home_controller
 ```
 
-This generator creates an example home controller and view which fetches and displays products using the Shopify API
+This generator creates an example home controller and view which fetches and displays products using the Shopify API.
 
 
 ### App Proxy Controller Generator
@@ -135,7 +130,7 @@ This generator creates an example home controller and view which fetches and dis
 $ rails generate shopify_app:app_proxy_controller
 ```
 
-This optional generator, not included with the default generator, creates the app proxy controller to handle proxy requests to the app from your shop storefront, modifies 'config/routes.rb' with a namespace route, and an example view which displays current shop information using the LiquidAPI
+This optional generator, not included with the default generator, creates the app proxy controller to handle proxy requests to the app from your shop storefront, modifies 'config/routes.rb' with a namespace route, and an example view which displays current shop information using the LiquidAPI.
 
 ### Marketing Extension Generator
 
@@ -143,11 +138,11 @@ This optional generator, not included with the default generator, creates the ap
 $ rails generate shopify_app:add_marketing_activity_extension
 ```
 
-This will create a controller with the endpoints required to build a [marketing activities extension](https://help.shopify.com/en/api/embedded-apps/app-extensions/shopify-admin/marketing-activities). The extension will be generated with a base url at `/marketing_activities`, which should also be configured in partners.
+This will create a controller with the endpoints required to build a [marketing activities extension](https://help.shopify.com/en/api/embedded-apps/app-extensions/shopify-admin/marketing-activities). The extension will be generated with a base URL at `/marketing_activities`, which should also be configured in partners.
 
 ### Controllers, Routes and Views
 
-The last group of generators are for your convenience if you want to start overriding code included as part of the Rails engine. For example by default the engine provides a simple SessionController, if you run the `rails generate shopify_app:controllers` generator then this code gets copied out into your app so you can start adding to it. Routes and views follow the exact same pattern.
+The last group of generators are for your convenience if you want to start overriding code included as part of the Rails engine. For example, by default the engine provides a simple SessionController, if you run the `rails generate shopify_app:controllers` generator then this code gets copied out into your app so you can start adding to it. Routes and views follow the exact same pattern.
 
 Mounting the Engine
 -------------------
@@ -170,7 +165,7 @@ The engine may also be mounted at a nested route, for example:
 mount ShopifyApp::Engine, at: '/nested'
 ```
 
-This will create the Shopify engine routes under the specified subpath. You'll also need to make some updates to your `shopify_app.rb` and `omniauth.rb` initializers. First update the shopify_app initializer to include a custom `root_url` e.g.:
+This will create the Shopify engine routes under the specified subpath. You'll also need to make some updates to your `shopify_app.rb` and `omniauth.rb` initializers. First, update the shopify_app initializer to include a custom `root_url` e.g.:
 
 ```ruby
 ShopifyApp.configure do |config|
@@ -216,7 +211,7 @@ Authentication
 
 ### Callback
 
-Upon completing the authentication flow Shopify calls the app at the `callback_path` mentioned before. If the app needs to do some extra work it can define and configure the route to a custom callback controller, inheriting from `ShopifyApp::CallbackController` and hook into or override any of the defined helper methods. The default callback controller already provides the following behaviour:
+Upon completing the authentication flow, Shopify calls the app at the `callback_path` mentioned before. If the app needs to do some extra work, it can define and configure the route to a custom callback controller, inheriting from `ShopifyApp::CallbackController` and hook into or override any of the defined helper methods. The default callback controller already provides the following behaviour:
 * Logging into the shop and resetting the session
 * [Installing Webhooks](https://github.com/Shopify/shopify_app#webhooksmanager)
 * [Setting Scripttags](https://github.com/Shopify/shopify_app#scripttagsmanager)
@@ -227,22 +222,22 @@ Upon completing the authentication flow Shopify calls the app at the `callback_p
 
 ### ShopifyApp::SessionRepository
 
-`ShopifyApp::SessionRepository` allows you as a developer to define how your sessions are stored and retrieved for shops. The `SessionRepository` is configured in the `config/initializers/shopify_app.rb` file and can be set to any object that implements `self.store(auth_session, *args)` which stores the session and returns a unique identifier and `self.retrieve(id)` which returns a `ShopifyAPI::Session` for the passed id. These methods are already implemented as part of the `ShopifyApp::SessionStorage` concern, but can be overridden for custom implementation.
+`ShopifyApp::SessionRepository` allows you as a developer to define how your sessions are stored and retrieved for shops. The `SessionRepository` is configured in the `config/initializers/shopify_app.rb` file and can be set to any object that implements `self.store(auth_session, *args)` which stores the session and returns a unique identifier and `self.retrieve(id)` which returns a `ShopifyAPI::Session` for the passed id. These methods are already implemented as part of the `ShopifyApp::SessionStorage` concern but can be overridden for custom implementation.
 
 #### Shop-based token storage
-Storing tokens on the store model means that any user login associated to the store will have equal access levels to whatever the original user granted the app.
+Storing tokens on the store model means that any user login associated with the store will have equal access levels to whatever the original user granted the app.
 ```sh
 $ rails generate shopify_app:shop_model
 ```
 This will generate a shop model which will be the storage for the tokens necessary for authentication.
 
 #### User-based token storage
-A more granular control over level of access per user on an app might be necessary, to which the shop-based token strategy is not sufficient. Shopify supports a user-based token storage strategy where a unique token to each user can be managed. Shop tokens must still be maintained if you are running background jobs so that you can make use of them when necessary.
+A more granular control over the level of access per user on an app might be necessary, to which the shop-based token strategy is not sufficient. Shopify supports a user-based token storage strategy where a unique token to each user can be managed. Shop tokens must still be maintained if you are running background jobs so that you can make use of them when necessary.
 ```sh
 $ rails generate shopify_app:shop_model
 $ rails generate shopify_app:user_model
 ```
-This will generate a shop model and user model which will be the storage for the tokens necessary for authentication.
+This will generate a shop model and user model, which will be the storage for the tokens necessary for authentication.
 
 The current Shopify user will be stored in the rails session at `session[:shopify_user]`
 
@@ -276,7 +271,7 @@ For backwards compatibility, the engine still provides a controller called `Shop
 
 ### AfterAuthenticate Job
 
-If your app needs to perform specific actions after the user is authenticated successfully (i.e. every time a new session is created), ShopifyApp can queue or run a job of your choosing (note that we already provide support for automatically creating Webhooks and Scripttags). To configure the after authenticate job update your initializer as follows:
+If your app needs to perform specific actions after the user is authenticated successfully (i.e. every time a new session is created), ShopifyApp can queue or run a job of your choosing (note that we already provide support for automatically creating Webhooks and Scripttags). To configure the after authenticate job, update your initializer as follows:
 
 ```ruby
 ShopifyApp.configure do |config|
@@ -324,11 +319,11 @@ ShopifyApp.configure do |config|
 end
 ```
 
-When the oauth callback is completed successfully ShopifyApp will queue a background job which will ensure all the specified webhooks exist for that shop. Because this runs on every oauth callback it means your app will always have the webhooks it needs even if the user uninstalls and re-installs the app.
+When the OAuth callback is completed successfully, ShopifyApp will queue a background job which will ensure all the specified webhooks exist for that shop. Because this runs on every OAuth callback, it means your app will always have the webhooks it needs even if the user uninstalls and re-installs the app.
 
-ShopifyApp also provides a WebhooksController that receives webhooks and queues a job based on the received topic. For example if you register the webhook from above then all you need to do is create a job called `CartsUpdateJob`. The job will be queued with 2 params: `shop_domain` and `webhook` (which is the webhook body).
+ShopifyApp also provides a WebhooksController that receives webhooks and queues a job based on the received topic. For example, if you register the webhook from above, then all you need to do is create a job called `CartsUpdateJob`. The job will be queued with 2 params: `shop_domain` and `webhook` (which is the webhook body).
 
-If you would like to namespace your jobs you may set `webhook_jobs_namespace` in the config. For example if your app handles webhooks from other ecommerce applications as well, and you want Shopify cart update webhooks to be processed by a job living in `jobs/shopify/webhooks/carts_update_job.rb` rather than `jobs/carts_update_job.rb`):
+If you would like to namespace your jobs, you may set `webhook_jobs_namespace` in the config. For example, if your app handles webhooks from other ecommerce applications as well, and you want Shopify cart update webhooks to be processed by a job living in `jobs/shopify/webhooks/carts_update_job.rb` rather than `jobs/carts_update_job.rb`):
 
 ```ruby
 ShopifyApp.configure do |config|
@@ -366,9 +361,9 @@ class CustomWebhooksController < ApplicationController
 end
 ```
 
-The module skips the `verify_authenticity_token` before_action and adds an action to verify that the webhook came from Shopify. You can now add a post route to your application pointing to the controller and action to accept the webhook data from Shopify.
+The module skips the `verify_authenticity_token` before_action and adds an action to verify that the webhook came from Shopify. You can now add a post route to your application, pointing to the controller and action to accept the webhook data from Shopify.
 
-The WebhooksManager uses ActiveJob, if ActiveJob is not configured then by default Rails will run the jobs inline. However it is highly recommended to configure a proper background processing queue like sidekiq or resque in production.
+The WebhooksManager uses ActiveJob. If ActiveJob is not configured then by default Rails will run the jobs inline. However, it is highly recommended to configure a proper background processing queue like Sidekiq or Resque in production.
 
 ShopifyApp can create webhooks for you using the `add_webhook` generator. This will add the new webhook to your config and create the required job class for you.
 
@@ -376,7 +371,7 @@ ShopifyApp can create webhooks for you using the `add_webhook` generator. This w
 rails g shopify_app:add_webhook -t carts/update -a https://example.com/webhooks/carts_update
 ```
 
-where `-t` is the topic and `-a` is the address the webhook should be sent to.
+Where `-t` is the topic and `-a` is the address the webhook should be sent to.
 
 ScripttagsManager
 -----------------
@@ -459,7 +454,7 @@ class ReviewsController < ApplicationController
 end
 ```
 
-Create your app proxy url in the [Shopify Partners' Dashboard][dashboard], making sure to point it to `https://your_app_website.com/app_proxy`.
+Create your app proxy URL in the [Shopify Partners' Dashboard][dashboard], making sure to point it to `https://your_app_website.com/app_proxy`.
 ![Creating an App Proxy](/images/app-proxy-screenshot.png)
 
 App Bridge
@@ -475,7 +470,7 @@ see [TROUBLESHOOTING.md](https://github.com/Shopify/shopify_app/blob/master/docs
 Using Test Helpers inside your Application
 -----------------------------------------
 
-A test helper that will allow you to test `ShopifyApp::WebhookVerification` in the controller from your app, to use this test, you need to `require` it directly in side you app `test/controllers/webhook_verification_test.rb`.
+A test helper that will allow you to test `ShopifyApp::WebhookVerification` in the controller from your app, to use this test, you need to `require` it directly inside your app `test/controllers/webhook_verification_test.rb`.
 
 ```ruby
     require 'test_helper'
@@ -484,7 +479,7 @@ A test helper that will allow you to test `ShopifyApp::WebhookVerification` in t
     require 'shopify_app/test_helpers/webhook_verification_helper'
 ```
 
-or you can require in your `test/test_helper.rb`
+Or you can require in your `test/test_helper.rb`.
 
 ```ruby
   ENV['RAILS_ENV'] ||= 'test'
@@ -521,7 +516,7 @@ change to how session stores work. Here are the steps to migrate to 13.x
 -  *CHANGE* `include ShopifyApp::SessionStorage` to `include ShopifyApp::ShopSessionStorage`
 
 ### Changes to the @shop_session instance variable (normally in `app/controllers/*.rb`)
-- *CHANGE* if you are using shop sessions, `@shop_session` will need to be changed to `@current_shopify_session`
+- *CHANGE* if you are using shop sessions, `@shop_session` will need to be changed to `@current_shopify_session`.
 
 ### Changes to Rails `session`
 - *CHANGE* `session[:shopify]` is no longer set. Use `session[:user_id]` if your app uses user based tokens, or `session[:shop_id]` if your app uses shop based tokens.
@@ -529,11 +524,13 @@ change to how session stores work. Here are the steps to migrate to 13.x
 ### Changes to `ShopifyApp::LoginProtection`
 `ShopifyApp::LoginProtection`
 
-if you are using `ShopifyApp::LoginProtection#shop_session` in your code, it will need to be
+- CHANGE if you are using `ShopifyApp::LoginProtection#shopify_session` in your code, it will need to be
 changed to `ShopifyApp::LoginProtection#activate_shopify_session`
+- CHANGE if you are using `ShopifyApp::LoginProtection#clear_shop_session` in your code, it will need to be
+changed to `ShopifyApp::LoginProtection#clear_shopify_session`
 
 ### Notes
-You do not need a user model, a shop session is fine for most applications.
+You do not need a user model; a shop session is fine for most applications.
 
 Questions or problems?
 ----------------------
@@ -571,7 +568,7 @@ Upgrading from 8.6 to 9.0.0
 
 ### Configuration change
 
-Add an api version configuration in `config/initializers/shopify_app.rb`
+Add an API version configuration in `config/initializers/shopify_app.rb`
 Set this to the version you want to run against by default. See [Shopify API docs](https://help.shopify.com/en/api/versioning) for versions available.
 ```ruby
 config.api_version = '2019-04'
@@ -579,7 +576,7 @@ config.api_version = '2019-04'
 
 ### Session storage change
 
-You will need to add an `api_version` method to you session storage object.  The default implementation for this is.
+You will need to add an `api_version` method to your session storage object.  The default implementation for this is.
 ```ruby
 def api_version
   ShopifyApp.configuration.api_version
@@ -617,7 +614,7 @@ is changed to
 
 ### ShopifyAPI changes
 
-You will need to also follow the ShopifyAPI [upgrade guide](https://github.com/Shopify/shopify_api/blob/master/README.md#-breaking-change-notice-for-version-700-) to ensure your app is ready to work with api versioning.
+You will need to also follow the ShopifyAPI [upgrade guide](https://github.com/Shopify/shopify_api/blob/master/README.md#-breaking-change-notice-for-version-700-) to ensure your app is ready to work with API versioning.
 
 [dashboard]:https://partners.shopify.com
 [app-bridge]:https://help.shopify.com/en/api/embedded-apps/app-bridge

data/SECURITY.md

@@ -0,0 +1,59 @@
+# Security Policy
+
+## Supported versions
+
+### New features
+
+New features will only be added to the master branch and will not be made available in point releases.
+
+### Bug fixes
+
+Only the latest release series will receive bug fixes. When enough bugs are fixed and its deemed worthy to release a new gem, this is the branch it happens from.
+
+### Security issues
+
+Only the latest release series will receive patches and new versions in case of a security issue.
+
+### Severe security issues
+
+For severe security issues we will provide new versions as above, and also the last major release series will receive patches and new versions. The classification of the security issue is judged by the core team.
+
+### Unsupported Release Series
+
+When a release series is no longer supported, it's your own responsibility to deal with bugs and security issues. If you are not comfortable maintaining your own versions, you should upgrade to a supported version.
+
+## Reporting a bug
+
+All security bugs in shopify repositories should be reported to [our hackerone program](https://hackerone.com/shopify)
+Shopify's whitehat program is our way to reward security researchers for finding serious security vulnerabilities in the In Scope properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly your-store.myshopify.com/admin) and certain ancillary applications.
+
+## Disclosure Policy
+
+We look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:
+
+- Reply to all reports within one business day and triage within two business days (if applicable)
+- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports
+- Award bounties within a week of resolution (excluding extenuating circumstances)
+- Only close reports as N/A when the issue reported is included in Known Issues, Ineligible Vulnerabilities Types or lacks evidence of a vulnerability
+
+**The following rules must be followed in order for any rewards to be paid:**
+
+- You may only test against shops you have created which include your HackerOne YOURHANDLE @ wearehackerone.com registered email address.
+- You must not attempt to gain access to, or interact with, any shops other than those created by you.
+- The use of commercial scanners is prohibited (e.g., Nessus).
+- Rules for reporting must be followed.
+- Do not disclose any issues publicly before they have been resolved.
+- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the whitehat program without notice at any time.
+- Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.
+- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.
+- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.
+- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.
+- All content submitted by you to Shopify under this program is licensed under the MIT License.
+- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.
+- Failure to follow any of the foregoing rules will disqualify you from participating in this program.
+
+** Please see our [Hackerone Profile](https://hackerone.com/shopify) for full details
+
+## Receiving Security Updates
+
+To recieve all general updates to vulnerabilities, please subscribe to our hackerone [Hacktivity](https://hackerone.com/shopify/hacktivity)