Etsy

  • $100 – $10,000 per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

109 vulnerabilities rewarded

Validation within 2 days
75% of submissions are accepted or rejected within 2 days

$722.50 average payout (last 3 months)

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Program Overview

Etsy is the global marketplace for unique and creative goods. Within our markets, millions of people around the world connect, both online and offline, to make, sell and buy unique goods. We also offer a wide range of Seller Services and tools that help creative entrepreneurs start, manage and scale their businesses. Our mission is to Keep Commerce Human.

Etsy's been running a bug bounty program since 2012. Our goal is to reward security researchers who follow responsible disclosure principles and proactively reach out to us if they’ve identified a vulnerability which would impact the safety of our marketplace or members. We believe that this is industry best practice.

Please use your @bugcrowdninja.com email address to create your testing account(s). We reserve the right to delete and block test accounts that are found to be abusing our testing guidelines.


Vulnerability Guidelines & Exceptions

  • Vulnerability reports MUST have a proof of concept or detailed explanation of the security issue.
  • Please note the Vulnerability Exceptions section for a list of vulnerabilities which are NOT accepted.
  • Higher quality reproduction steps and reports will be a strong factor in determining a valid issue's final bounty reward amount (In general, better reports -> bigger bounty reward). PLEASE provide clear step-by-step for replication.

Rewards

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings. Changes to VRT priorities for certain bugs are listed below:

VRT Adjustments

VRT Category Adjusted Value
Stored, non-self XSS P2
CSRF P3/P4
No Rate Limiting on Form - Login P5
No Rate Limiting on Form - email triggering P5
Cross-Site Scripting - IE-only/older version P5
Username Enumeration P5
No Password Policy P5

Payout Tiers

50% payouts for P1 and P2 submissions on blog.etsy.com and community.etsy.com, and other microsites on a case-by-case basis.

Third Party Bugs

Etsy uses a number of third-party providers and services. We cannot authorize security testing against systems that do not belong to us, but strongly suggest reporting issues identified within these services to the third-party directly.

However, if you believe an issue with one of our third-party service providers is the result of Etsy's misconfiguration or insecure usage of that service (or you've reported an issue affecting many customers of the service that you believe Etsy can temporarily mitigate without stopping usage of the service while a fix is implemented upstream), we'd appreciate your report regarding the issue.

Keep in mind that any reports regarding third-party services are rewarded on a case-by-case basis, and usually at a percentage of our normal payout.


Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.