Etsy

  • $100 – $1,500 per vulnerability
  • Managed by Bugcrowd

Program stats

22 vulnerabilities rewarded

Validation within 14 days
75% of submissions are accepted or rejected within 14 days

$566.66 average payout (last 3 months)

Latest hall of famers

Recently joined this program

274 total

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Program Overview

Etsy is the global marketplace for unique and creative goods. Within our markets, millions of people around the world connect, both online and offline, to make, sell and buy unique goods. We also offer a wide range of Seller Services and tools that help creative entrepreneurs start, manage and scale their businesses. Our mission is to Keep Commerce Human.

Etsy's been running a bug bounty program since 2012. Our goal is to reward security researchers who follow responsible disclosure principles and proactively reach out to us if they’ve identified a vulnerability which would impact the safety of our marketplace or members. We believe that this is industry best practice.

Please use your @bugcrowdninja.com email address to create your testing account(s). We reserve the right to delete and block test accounts that are found to be abusing our testing guidelines.


Vulnerability Guidelines & Exceptions

  • Vulnerability reports MUST have a proof of concept or detailed explanation of the security issue.
  • Please note the Vulnerability Exceptions section for a list of vulnerabilities which are NOT accepted.
  • Higher quality reproduction steps and reports will be a strong factor in determining a valid issue's final bounty reward amount (In general, better reports -> bigger bounty reward).

Rewards

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings. Changes to VRT priorities for certain bugs are listed below:

VRT Adjustments

VRT Category Adjusted Value
Non self-XSS P2
CSRF P3/P4
No Rate Limiting on Form - Login P5
No Rate Limiting on Form - email triggering P5
Cross-Site Scripting - IE-only/older version P5
Username Enumeration P5
No Password Policy P5

Reward Range

Last updated
Technical severity Reward range
p1 Critical $1,200 - $1,500
p2 Severe $800 - $1,000
p3 Moderate $300 - $600
p4 Low $100 - $200
P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name Type
www.etsy.com Website
Etsy Mobile Application (Android) Android
Etsy Mobile Application (iPhone) iOS
Etsy API (see documentation below) API
icht.etsysecure.com API
blog.etsy.com (payouts are half for this target, and do not include vulns in WP itself or its plugins) Website

Any domain/property of Etsy not listed in the targets section is out of scope. This includes any/all subdomains not listed above.


Focus Areas

This program is focused on vulnerabilities in Etsy's mobile & web application's. These applications are used by Etsy customers and sellers. Additionally, the developer APIs and portal is also in-scope.

  • Unauthenticated access to users' accounts / information, especially PII (Personally Identifiable Information).
  • Developer API vulnerabilities.

Production Environment: Please note that this program scope is a production environment. With that in mind, please be sure to avoid harming infrastructure, interacting with customers, and attempting to access, manipulate, and/or attack accounts you do not explicitly own.


Access & Credentials:

All in-scope target applications are publicly accessible. Credentials can be self-provisioned as needed. Please only perform testing against accounts you expressly own and control.

Buyer and Seller Accounts

Testing payment/purchasing flow:

  • Create a seller account, selling something for $1
  • Create a buyer account, buying the item for $1
  • As the seller, refund the purchase
  • NOTE: there is a 20 cent fee (on a $1 purchase) associated with transactions for sellers - this cannot be reimbursed by Etsy. Please be cognizant of this and test accordingly.

Target Information

Mobile Applications

Etsy API (v3)

  • Documentation for the Etsy API: https://www.etsy.com/developers/documentation
  • If you're interested in testing listings or other shop-related functionality, please put your shop in developer mode: https://www.etsy.com/developers/shop
  • Please Note: Documentation may be out of date (API v2), but should still be helpful in understanding the API and expected behavior.

icht.etsysecure.com

  • Applicable to CCN, Gift Card, "In-Person" payments (mobile only).
  • This is a secure payment method storage system that interacts with buyer and shop accounts.
  • Documentation is not provided.

Testing Guidelines:

  • Set your shop to developer mode here: https://www.etsy.com/developers/shop (after you register an account and complete seller onboarding). Putting your shop in developer mode hides your shop and listings in our search functionality.
  • Please don't create an excessive number of accounts for testing, and please limit your test transactions to small monetary amounts (like ~$1).
  • If you'd like to test convos, please use dedicated test accounts only and do not message legitimate members of the site. If testing the listing process, ensure your shop is in developer mode (see above)
  • Avoid using site-wide scanners. Researchers should be using targeted scanning tools as to prevent affecting the production environment.
  • Testing Payments
  • Be mindful with the rate and scope of automated scanning tools.
  • DO NOT use automated scanners when testing <icht.etsysecure.com>.

  • Account Freezes: there are situations where during testing your account may be frozen due to fraud protection measures. If this happens, please reach out to support@bugcrowd.com.

Out-of-Scope

  • DoS/DDoS
  • Social engineering attacks of any kind.
  • 3rd party systems and solutions (any resource / service not managed by Etsy).
  • Spam or any other mass distribution to customers, partners, etc.
  • Pulling / manipulating any user data or user accounts - during testing, researchers should not pull, change, or erase any customer data during testing.
  • Customer support channels (chat, phone, email, etc.) - If you have any questions or issues while testing, please send an email to support@bugcrowd.com.
  • blog.etsy.com Bug bounty payouts are paid out half of normal. Only Etsy-specific vulnerabilities are in scope - no vulnerabilities in Wordpress itself or its plugins.

Vulnerability Exceptions

  • Security reports that don't pertain to etsy.com If you're sending in a report for a domain that is not covered in the scope of our bug bounty program, we will ignore it.
  • Flaws specific to out of date browsers/plugins. Learn more about up-to-date browsers here.
  • Simple, non-XSS content injection. Manipulating a URL to present a page that contains custom text does not qualify for the bug bounty program.
  • Logout cross-site request forgery. For more information on this issue, please refer to blog posts on the topic by Chris Evans and Michal Zalewski.
  • Lack of the Secure flag on non-sensitive cookies. We provide full site SSL as a mechanism to defend against MITM (via HSTS) for sensitive session cookies. More information on this is available here: http://codeascraft.com/2012/10/09/scaling-user-security/.
  • Lack of HTTPOnly flag on non-sensitive cookies. We have set the HTTPOnly flag on cookies we feel are sensitive and we do not consider the lack of HTTPOnly on other cookies to be a vulnerability.
  • Username enumeration through login or password reset. While username enumeration can be a vulnerability in a number of web applications, Etsy is a public marketplace and as such usernames can be enumerated by design through a number of ways including listings, forum posts, shops, etc.
  • CSRF issues submitted with a proof-of-concept containing a nonce.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.