Thank you for the report, we have removed that CNAME record. As far as we can tell, the impact is that an attacker can host custom shopify shops under our domain, is that correct?
As @postables noted, please make future reports to email@example.com.
Also, while I understand a PoC can help convince someone that a vulnerability is real and while this PoC appears to be completely harmless (thank you for that), postables is right again. Not everyone is reasonable when it comes to PoCs. Many such unreasonable parties have armies of lawyers and really don’t like to be embarrassed. Just be careful and CYA.
Legal Disclaimer: I’m not implying that we allow PoCs against our live infrastructure, just that we’re reasonable and this one was clearly harmless and well intentioned. In case someone tries to deface our website and claim “but you said that’s OK!”, I didn’t.