• $100 – $10,000 per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

93 vulnerabilities rewarded

Validation within 3 days
75% of submissions are accepted or rejected within 3 days

$1,258.33 average payout (last 3 months)

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Program Overview

Etsy is the global marketplace for unique and creative goods. Within our markets, millions of people around the world connect, both online and offline, to make, sell and buy unique goods. We also offer a wide range of Seller Services and tools that help creative entrepreneurs start, manage and scale their businesses. Our mission is to Keep Commerce Human.

Etsy's been running a bug bounty program since 2012. Our goal is to reward security researchers who follow responsible disclosure principles and proactively reach out to us if they’ve identified a vulnerability which would impact the safety of our marketplace or members. We believe that this is industry best practice.

Please use your email address to create your testing account(s). We reserve the right to delete and block test accounts that are found to be abusing our testing guidelines.

Vulnerability Guidelines & Exceptions

  • Vulnerability reports MUST have a proof of concept or detailed explanation of the security issue.
  • Please note the Vulnerability Exceptions section for a list of vulnerabilities which are NOT accepted.
  • Higher quality reproduction steps and reports will be a strong factor in determining a valid issue's final bounty reward amount (In general, better reports -> bigger bounty reward). PLEASE provide clear step-by-step for replication.


This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings. Changes to VRT priorities for certain bugs are listed below:

VRT Adjustments

VRT Category Adjusted Value
Stored, non-self XSS P2
No Rate Limiting on Form - Login P5
No Rate Limiting on Form - email triggering P5
Cross-Site Scripting - IE-only/older version P5
Username Enumeration P5
No Password Policy P5

Payout Tiers

50% payouts for P1 and P2 submissions on and, and other microsites on a case-by-case basis.

Third Party Bugs

Etsy uses a number of third-party providers and services. We cannot authorize security testing against systems that do not belong to us, but strongly suggest reporting issues identified within these services to the third-party directly.

However, if you believe an issue with one of our third-party service providers is the result of Etsy's misconfiguration or insecure usage of that service (or you've reported an issue affecting many customers of the service that you believe Etsy can temporarily mitigate without stopping usage of the service while a fix is implemented upstream), we'd appreciate your report regarding the issue.

Keep in mind that any reports regarding third-party services are rewarded on a case-by-case basis, and usually at a percentage of our normal payout.

Reward range

Last updated

Technical severity Reward range
p1 Critical $5,000 - $10,000
p2 Severe $1,000 - $5,000
p3 Moderate $300 - $800
p4 Low $100 - $200
P5 submissions do not receive any rewards for this program.


In scope

Target name Type Tags
Any publicly facing host owned by Etsy, including the below: Website Testing
  • Website Testing
  • API Testing
  • HTTP
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
  • Android
  • Java
  • Kotlin Website Testing
  • Google Cloud
  • jQuery
  • Varnish
  • Website Testing
Etsy Mobile Application (Android) Android
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin
Etsy Mobile Application (iPhone) iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
Etsy API (see documentation below) API Testing
  • API Testing
  • HTTP Website Testing
  • jQuery
  • MySQL
  • Wordpress
  • PHP
  • Website Testing Website Testing
  • jQuery
  • Angular
  • PHP
  • Newrelic
  • Website Testing Other

Out of scope

Target name Type API Testing

Any domain/property of Etsy not listed in the targets section is out of scope. This includes any/all subdomains not listed above.

Focus Areas

This program is focused on vulnerabilities in Etsy's mobile & web application's. These applications are used by Etsy customers and sellers. Additionally, the developer APIs and portal is also in-scope.

  • Unauthenticated access to users' accounts / information, especially PII (Personally Identifiable Information).
  • Developer API vulnerabilities.

Production Environment: Please note that this program scope is a production environment. With that in mind, please be sure to avoid harming infrastructure, interacting with customers, and attempting to access, manipulate, and/or attack accounts you do not explicitly own.

Access & Credentials:

All in-scope target applications are publicly accessible. Credentials can be self-provisioned as needed. Please only perform testing against accounts you expressly own and control.

Buyer and Seller Accounts

Testing payment/purchasing flow:

  • Create a seller account, selling something for $1
  • Create a buyer account, buying the item for $1
  • As the seller, refund the purchase
  • NOTE: there is a 20 cent fee (on a $1 purchase) associated with transactions for sellers - this cannot be reimbursed by Etsy. Please be cognizant of this and test accordingly.

Target Information

Mobile Applications

Etsy API (v3)

  • Documentation for the Etsy API:
  • If you're interested in testing listings or other shop-related functionality, please put your shop in developer mode:
  • Please Note: Documentation may be out of date (API v2), but should still be helpful in understanding the API and expected behavior.

  • Applicable to credit card and gift card payments.
  • This is a secure payment method storage system that interacts with buyer and shop accounts.
  • Documentation is not provided.

Testing Guidelines:

  • Set your shop to developer mode here: (after you register an account and complete seller onboarding). Putting your shop in developer mode hides your shop and listings in our search functionality.
  • Please don't create an excessive number of accounts for testing, and please limit your test transactions to small monetary amounts (like ~$1).
  • If you'd like to test convos, please use dedicated test accounts only and do not message legitimate members of the site. If testing the listing process, ensure your shop is in developer mode (see above)
  • Avoid using site-wide scanners. Researchers should be using targeted scanning tools as to prevent affecting the production environment.
  • Testing Payments
  • Be mindful with the rate and scope of automated scanning tools.
  • DO NOT use automated scanners when testing <>.

  • Account Freezes: there are situations where during testing your account may be frozen due to fraud protection measures. If this happens, please reach out to


  • DoS/DDoS
  • Social engineering attacks of any kind.
  • 3rd party systems and solutions (any resource / service not managed by Etsy).
  • Spam or any other mass distribution to customers, partners, etc.
  • Pulling / manipulating any user data or user accounts - during testing, researchers should not pull, change, or erase any customer data during testing.
  • Customer support channels (chat, phone, email, etc.) - If you have any questions or issues while testing, please send an email to
  • Bug bounty payouts are paid out half of normal. Only Etsy-specific vulnerabilities are in scope - no vulnerabilities in Wordpress itself or its plugins.

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Etsy not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you happen to identify a security vulnerability on a target that is not in-scope, but that demonstrably belongs to Etsy, it may be reported to this program, and is appreciated - but will ultimately be marked as 'not applicable' and will not be eligible for monetary or points-based compensation.

Vulnerability Exceptions

  • Security reports that don't pertain to If you're sending in a report for a domain that is not covered in the scope of our bug bounty program, we will ignore it.
  • Flaws specific to out of date browsers/plugins. Learn more about up-to-date browsers here.
  • Simple, non-XSS content injection. Manipulating a URL to present a page that contains custom text does not qualify for the bug bounty program.
  • Logout cross-site request forgery. For more information on this issue, please refer to blog posts on the topic by Chris Evans and Michal Zalewski.
  • Lack of the Secure flag on non-sensitive cookies. We provide full site SSL as a mechanism to defend against MITM (via HSTS) for sensitive session cookies. More information on this is available here:
  • Lack of HTTPOnly flag on non-sensitive cookies. We have set the HTTPOnly flag on cookies we feel are sensitive and we do not consider the lack of HTTPOnly on other cookies to be a vulnerability.
  • Username enumeration through login or password reset. While username enumeration can be a vulnerability in a number of web applications, Etsy is a public marketplace and as such usernames can be enumerated by design through a number of ways including listings, forum posts, shops, etc.
  • CSRF issues submitted with a proof-of-concept containing a nonce.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.