How do I disclose security vulnerabilities responsibly?
For Etsy Members:
For reporting fraud-related activity, account disputes, or spam please use this contact form: http://www.etsy.com/help/contact?topic=99
For reporting a spoof or phishing email, please contact: email@example.com
For Professional Security Researchers
We genuinely appreciate the efforts of security researchers, and offer a bounty for certain security bugs per the qualifications below:
Q) What's a valid bug?
A) Web application vulnerabilities such as XSS, CSRF, SQLi, authentication issues, remote code execution, and authorization issues. The vulnerability must be in the main www.etsy.com site, the etsy.com API, or the official Etsy mobile applications. You must be the first person to responsibly disclose the bug to us, you must have found the vulnerability yourself, and you must follow responsible disclosure principles of giving us a reasonable time to address the issue before you make any information public.
Q) What's not a valid bug?
A) Although we review each submission on a case-by-case basis, the following are some of the issues which typically do not meet the requirements of our bounty program:
- Flaws specific to out of date browsers/plugins. Amongst others, this encompasses versions of Internet Explorer prior to version 8.
- Logout cross-site request forgery. For more information on this issue, please refer to blog posts on the topic by Chris Evans and Michal Zalewski.
- Lack of the Secure flag on non-sensitive cookies. We provide full site SSL as an opt-in mechanism to defend against MITM (via HSTS) while we're working towards releasing full site SSL for all users. More information on this is available here: http://codeascraft.com/2012/10/09/scaling-user-security/.
- Lack of HTTPOnly flag on non-sensitive cookies. We have set the HTTPOnly flag on cookies we feel are sensitive and we do not consider the lack of HTTPOnly on other cookies to be a vulnerability.
- Username enumeration through login or password reset. While username enumeration can be a vulnerability in a number of web applications, Etsy is a public marketplace and as such usernames can be enumerated by design through a number of ways including listings, forum posts, shops, etc.
Q) What should I be aware of when testing?
A) There are a few things that we would greatly appreciate you keep in mind when testing:
- Please do not test for spam, social engineering, or denial of service issues.
- Due to the nature of our marketplace, please do not use automated scanners without a narrow scoping. Automated scanners when run across the entire site result in spam in the Forums, Teams, and blog comments, as well as sending spam Convos and purchasing items from legitimate member shops. Performing these actions interferes with our members use of the marketplace and is against the spirit of our bounty program.
- If you would like to test Convos, please use dedicated test accounts only and do not message legitimate members of the site. If testing the listing process, all test listings must be removed immediately after testing.
- We reserve the right to mute and/or ban your test accounts if you are caught violating these guidelines.
Q) What's the bounty?
A) The reward for qualifying vulnerabilities (as determined by the Etsy Security Team) starts at $500 and will be increased at our discretion for distinctly creative or severe bugs. We will also send you an Etsy Security T-shirt, add your name to the Thank You section of this page, and if we run in to you at a security conference we'll give you a high five and tell people how awesome you are.
Q) How do I report a vulnerability?
A) Please contact us at firstname.lastname@example.org. Please note that reports about fraud-related activity, account disputes, or spam are not part of the bug bounty program and should be reported here: http://www.etsy.com/help/contact?topic=99
Q) What do the lawyers think about all this?
A) This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time and the decision to pay a reward is entirely at our discretion. You must not violate any law. You also must not disrupt any service or compromise anyone’s data.
We sincerely appreciate the efforts of security researchers in keeping our community safe. The following people have responsibly disclosed vulnerabilities to us in the past:
Neal Poole - @NealPoole
Ben Hayak - @BenHayak
James Golick - @jamesgolick
Ari Rubinstein - @arirubinstein
Elvin Gentiles (elvinguitar)
Kamil Sevi - @kamilsevi
Ashar Javed - @soaj1664ashar
Avram Marius Gabriel (http://randomstorm.com)
Shai Rod - @NightRang3r
Pepe Vila - @cgvwzq
Ajay Singh Negi (http://www.computersecuritywithethicalhacking.blogspot.com)
Nir Goldshlager - @NirGoldshlager
Ryan Cirillo - @ryancirillo
Roman Shafigullin (http://shafigullin.pro)
Mateusz Goik (http://www.aliantsoft.pl)
Mauro Gentile - @sneak_
Milad Bahari Rad - @milad_bahari
Johnathan Kuskos - @JohnathanKuskos
Amir Etemadieh of Accuvant LABS - @Zenofex
Szymon Gruszecki - @szgru
João Lucas Melo Brasio (whitehathackers.com.br) (dotfivelabs.com.br)
Jack W (http://fin1te.net)
Claudio Salazar - @spectresearch
Frans Rosén (https://www.detectify.com)
Alex Davies (http://pwndizzle.blogspot.com/)
Mohamed Ramadan (Attack-Secure.com)
Emanuel Bronshtein - @e3amn2l
Yogesh Jaygadkar (http://www.jaygadkar.com/)
Rakan Alotaibi - @hxteam
Piaca - @piapiacaca
Sergey Bobrov (Positive Technologies, http://www.ptsecurity.com/)
Semen Rozhkov (Positive Technologies, http://www.ptsecurity.com/)
Malte Batram - @_batram
Hassan El Hadary
Neil Bergman of Cigital
Prashant Negi - @prashantnegi_
Muhammad Waqar - @MuhammadWaqar_9
Mike Czumak - @SecuritySift
TurkSec Group - @TurkGuvenligi
Matteo Neri - @nmatte90
Sasi Levi @sasi2103
Nitesh Shilpkar- @NiteshShilpkar
Krutarth Shukla - @KrutarthShukla (http://krutarthshukla.com)
Rishiraj Sharma - @ehrishiraj (R3DKill_ER)
Atulkumar Hariba Shedage - @atul_shedage
Umer Shakil - @umer_djzz
Ali Hasan Ghauri - @alihasanghauri
Manish Bhattacharya - @umenmactech
Mukesh Dhama & Ravindra Singh Rathore
Dawn Isabel of HP Fortify ShadowLabs (@dawnisabel)
José Luís Zayas Banderas (www.axarnet.es)
Osanda Malith Jayathissa - @OsandaMalith
Allan Jay Tomol - http://facebook.com/atomtheman
Michael Henriksen - @michenriksen
Mikko Carreon - http://www.facebook.com/mikkz.mikko
Prayas Kulshrestha - @prayas_prayas