Etsy is the global marketplace for unique and creative goods. Within our markets, millions of people around the world connect, both online and offline, to make, sell and buy unique goods. We also offer a wide range of Seller Services and tools that help creative entrepreneurs start, manage and scale their businesses. Our mission is to Keep Commerce Human.
Etsy's been running a bug bounty program since 2012. Our goal is to reward security researchers who follow responsible disclosure principles and proactively reach out to us if they’ve identified a vulnerability which would impact the safety of our marketplace or members. We believe that this is industry best practice.
Please use your @bugcrowdninja.com email address to create your testing account(s). We reserve the right to delete and block test accounts that are found to be abusing our testing guidelines.
Vulnerability Guidelines & Exceptions
- Vulnerability reports MUST have a proof of concept or detailed explanation of the security issue.
- Please note the
Vulnerability Exceptionssection for a list of vulnerabilities which are NOT accepted.
- Higher quality reproduction steps and reports will be a strong factor in determining a valid issue's final bounty reward amount (In general, better reports -> bigger bounty reward).
This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings. Changes to VRT priorities for certain bugs are listed below:
|VRT Category||Adjusted Value|
|No Rate Limiting on Form - Login||P5|
|No Rate Limiting on Form - email triggering||P5|
|Cross-Site Scripting - IE-only/older version||P5|
|No Password Policy||P5|
|P1||$1,200 - $1,500|
|P2||$800 - $1,000|
|P3||$300 - $600|
|P4||$100 - $200|
Etsy will be rewarding researchers with T-shirts (while supplies last) for new researchers that submit a valid P3-P1 vulnerability. You will be contacted after the submission has been verified and reviewed. Etsy will make a best effort (but no guarantee) to get qualifying researchers their swag.
Any domain/property of Etsy not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
This program is focused on vulnerabilities in Etsy's mobile & web application's. These applications are used by Etsy customers and sellers. Additionally, the developer APIs and portal is also in-scope.
- Unauthenticated access to users' accounts / information, especially PII (Personally Identifiable Information).
- Developer API vulnerabilities.
Production Environment: Please note that this program scope is a production environment. With that in mind, please be sure to avoid harming infrastructure, interacting with customers, and attempting to access, manipulate, and/or attack accounts you do not explicitly own.
Access & Credentials:
All in-scope target applications are publicly accessible. Credentials can be self-provisioned as needed. Please only perform testing against accounts you expressly own and control.
Buyer and Seller Accounts
- Seller Shop Sign-Up: https://www.etsy.com/your/shop/create?us_sell_create_value
- Please Note: when registering a Seller Shop, there is bank account and credit card number verification.
- Buyer Sign-Up: https://www.etsy.com
Testing payment/purchasing flow:
- Create a seller account, selling something for $1
- Create a buyer account, buying the item for $1
- As the seller, refund the purchase
- NOTE: there is a 20 cent fee (on a $1 purchase) associated with transactions for sellers - this cannot be reimbursed by Etsy. Please be cognizant of this and test accordingly.
- Android: https://play.google.com/store/apps/details?id=com.etsy.android&hl=en
- iPhone: https://itunes.apple.com/us/app/etsy-shop-creative/id477128284?mt=8
Etsy API (v3)
- Documentation for the Etsy API: https://www.etsy.com/developers/documentation
- If you're interested in testing listings or other shop-related functionality, please put your shop in developer mode: https://www.etsy.com/developers/shop
- Please Note: Documentation may be out of date (API v2), but should still be helpful in understanding the API and expected behavior.
- Applicable to CCN, Gift Card, "In-Person" payments (mobile only).
- This is a secure payment method storage system that interacts with buyer and shop accounts.
- Documentation is not provided.
- Set your shop to developer mode here: https://www.etsy.com/developers/shop (after you register an account and complete seller onboarding). Putting your shop in developer mode hides your shop and listings in our search functionality.
- Please don't create an excessive number of accounts for testing, and please limit your test transactions to small monetary amounts (like ~$1).
- If you'd like to test convos, please use dedicated test accounts only and do not message legitimate members of the site. If testing the listing process, ensure your shop is in developer mode (see above)
- Avoid using site-wide scanners. Researchers should be using targeted scanning tools as to prevent affecting the production environment.
- Testing Payments
- Be mindful with the rate and scope of automated scanning tools.
DO NOT use automated scanners when testing <icht.etsysecure.com>.
Account Freezes: there are situations where during testing your account may be frozen due to fraud protection measures. If this happens, please reach out to firstname.lastname@example.org.
- Social engineering attacks of any kind.
- 3rd party systems and solutions (any resource / service not managed by Etsy).
- Spam or any other mass distribution to customers, partners, etc.
- Pulling / manipulating any user data or user accounts - during testing, researchers should not pull, change, or erase any customer data during testing.
- Customer support channels (chat, phone, email, etc.) - If you have any questions or issues while testing, please send an email to email@example.com.
- Security reports that don't pertain to etsy.com If you're sending in a report for a domain that is not covered in the scope of our bug bounty program, we will ignore it.
- Flaws specific to out of date browsers/plugins. Learn more about up-to-date browsers here.
- Simple, non-XSS content injection. Manipulating a URL to present a page that contains custom text does not qualify for the bug bounty program.
- Logout cross-site request forgery. For more information on this issue, please refer to blog posts on the topic by Chris Evans and Michal Zalewski.
- Lack of the Secure flag on non-sensitive cookies. We provide full site SSL as a mechanism to defend against MITM (via HSTS) for sensitive session cookies. More information on this is available here: http://codeascraft.com/2012/10/09/scaling-user-security/.
- Lack of HTTPOnly flag on non-sensitive cookies. We have set the HTTPOnly flag on cookies we feel are sensitive and we do not consider the lack of HTTPOnly on other cookies to be a vulnerability.
- Username enumeration through login or password reset. While username enumeration can be a vulnerability in a number of web applications, Etsy is a public marketplace and as such usernames can be enumerated by design through a number of ways including listings, forum posts, shops, etc.
- CSRF issues submitted with a proof-of-concept containing a nonce.