Etsy
- $50 – $10,000 per vulnerability
Program Overview
Etsy is the global marketplace for unique and creative goods. Within our markets, millions of people around the world connect, both online and offline, to make, sell and buy unique goods. We also offer a wide range of Seller Services and tools that help creative entrepreneurs start, manage and scale their businesses. Our mission is to Keep Commerce Human.
Etsy's been running a bug bounty program since 2012. Our goal is to reward security researchers who follow responsible disclosure principles and proactively reach out to us if they’ve identified a vulnerability which would impact the safety of our marketplace or members. We believe that this is industry best practice.
Please use your @bugcrowdninja.com email address to create your testing account(s). We reserve the right to delete and block test accounts that are found to be abusing our testing guidelines.
Vulnerability Guidelines & Exceptions
- Vulnerability reports MUST have a proof of concept or detailed explanation of the security issue.
- Please note the
Vulnerability Exceptions
section for a list of vulnerabilities which are NOT accepted. - Higher quality reproduction steps and reports will be a strong factor in determining a valid issue's final bounty reward amount (In general, better reports -> bigger bounty reward). PLEASE provide clear step-by-step for replication.
Rewards
This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings. Changes to VRT priorities for certain bugs are listed below:
VRT Adjustments
VRT Category | Adjusted Value |
---|---|
Stored, non-self XSS | P2 |
CSRF | P3/P4 |
No Rate Limiting on Form - Login | P5 |
No Rate Limiting on Form - email triggering | P5 |
Cross-Site Scripting - IE-only/older version | P5 |
Username Enumeration | P5 |
No Password Policy | P5 |
Scope and rewards
Program rules
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.