Joined May 2016
- Tweets 5,005
- Following 708
- Followers 58,586
- Likes 4,809
1,214 Photos and videos
Jun 12
🇰🇷 Here’s what’s on deck for us @icmlconf in Seoul next month:
Our Expo Talk on how we distill LLMs into smaller, faster, and more accurate models than their teachers. A live demo of Tangent, our autonomous ML pipeline research agent. A workshop on the generative turn in search and rec at 81M shopper scale. And booth presentations from every ML team at Shopify.
Come see what we’re building. 👇🏻
1
2
11
5,117
Jun 12
Expo Workshop: The Generative Turn in Search and Recommendation: Foundations, Scale, and Frontiers
icml.cc/virtual/2026/75709
1
1
2,163
Jun 12
Expo Demo: Tangent: Autonomous Auto-Research Agent for ML Pipelines
icml.cc/virtual/2026/75716
1
584
Jun 12
📊 Bug bounty surveillance log | May ’26
• 515 vulnerability reports intercepted
• 229 new hackers onboarded
• 41 reports awarded bounties
• $26K distributed to hunters
1
2
36
5,202
Shopify Engineering retweeted
Jun 10
Everyone's talking about AI-generated HTML.
But have you tried giving your sites a zero-config API for saving data, file storage, AI, websockets, etc?
We did this at Shopify. Runs on a single VM that costs $200/month, and it's changed the way we work.
We call it Quick 👇🧵
106
167
2,923
817,086
Jun 10
Reflexive AI use @Shopify means tons of experimenting. Everyone’s a builder now. But how do you share all that work with your team?
Last year, we built a hosting platform on a single VM. Usage exploded:
50,000 sites so far.
Meet Quick, our hosting tool:
5
5
67
10,020
Authentication & Account Takeover campaign is live. Three weeks. Multipliers up to 2× for criticals on auth & ATO findings ↓
1
1
30
13,801
Multipliers (on standard bounty):
• Medium = 1.25×
• High = 1.5×
• Critical = 2×
Hunt: auth bypass, MFA, OAuth/SSO/SAML/SCIM, session flaws, ATO, auth-API authz.
Scope surfaces: hackerone.com/shopify?type=t…
Closes June 26. #bugbounty
1
16
2,270
Authentication & Account Takeover campaign launches Monday. Scope ↓
5
2
34
12,391
Covered surfaces:
• Merchant admin
• Partners
• accounts.shopify.com
• Shop App auth Login with Shop
• Checkout auth
• Admin / Storefront / app session token issuance
• POS staff auth
• B2B buyer auth incl. merchant SSO/SAML
• 2FA recovery flows
1
2
2,796
Standard bounty (no multiplier):
• Pre-account squatting
• Customer storefront accounts (legacy)
• Enumeration
• Brute force w/o rate-limit bypass
• Self-XSS on login
• Generic bugs chained into an auth/ATO impact
Live Mon. hackerone.com/shopify
1,428
Authentication & Account Takeover campaign on our bug bounty program. June 8 through June 26. Multipliers on auth & ATO findings, up to 2× for criticals ↓
1
2
12
2,972
Multipliers on standard bounty for auth & ATO findings:
• Medium = 1.25×
• High = 1.5×
• Critical = 2×
Open to any researcher on our HackerOne. No cohort, no invite list.
1
6
2,615
Full scope covered surfaces drop Thursday June 4. Live Monday June 8.
bugbounty.shopify.com #bugbounty
5
2,101
May 28
Recently @tobi shared the philosophy behind River, our Slack-native AI agent, and how it has become a teaching workshop for all of @Shopify.
Below River lies the Aquifer. Principal Engineers @burkelibbey & Javier Moreno share the engineering story of how River came to be, and the substrate it runs on:
7
20
291
101,754