How do I disclose security vulnerabilities responsibly?
For Etsy Members:
For reporting fraud-related activity, account disputes, or spam please use this contact form: http://www.etsy.com/help/contact
For reporting a spoof or phishing email, please contact: firstname.lastname@example.org
For Professional Security Researchers
We genuinely appreciate the efforts of security researchers and offer a bounty for certain security bugs per the qualifications below:
Q) What's a valid bug?
A) Web application vulnerabilities such as XSS, CSRF, SQLi, authentication issues, remote code execution, and authorization issues. The vulnerability must be in the main www.etsy.com site, the etsy.com API, or the official Etsy mobile applications. Note that systems we do not control (such as links/redirect to 3rd party sites, or CDNs) are excluded from the scope of the bounty. You must be the first person to responsibly disclose the bug to us, you must have found the vulnerability yourself, and you must follow responsible disclosure principles of giving us a reasonable time to address the issue before you make any information public.
Q) What's not a valid bug?
A) Although we review each submission on a case-by-case basis, the following are some of the issues which typically do not meet the requirements of our bounty program:
- Flaws specific to out of date browsers/plugins. Amongst others, this encompasses versions of Internet Explorer prior to version 8.
- Logout cross-site request forgery. For more information on this issue, please refer to blog posts on the topic by Chris Evans and Michal Zalewski.
- Lack of the Secure flag on non-sensitive cookies. We provide full site SSL as an opt-in mechanism to defend against MITM (via HSTS) while we're working towards releasing full site SSL for all users. More information on this is available here: http://codeascraft.com/2012/10/09/scaling-user-security/.
- Lack of HTTPOnly flag on non-sensitive cookies. We have set the HTTPOnly flag on cookies we feel are sensitive and we do not consider the lack of HTTPOnly on other cookies to be a vulnerability.
- Username enumeration through login or password reset. While username enumeration can be a vulnerability in a number of web applications, Etsy is a public marketplace and as such usernames can be enumerated by design through a number of ways including listings, forum posts, shops, etc.
Q) What should I be aware of when testing?
A) There are a few things that we would greatly appreciate you keep in mind when testing:
- Please do not test for spam, social engineering, or denial of service issues.
- Due to the nature of our marketplace, please do not use automated scanners without a narrow scoping. Automated scanners when run across the entire site result in spam in the Forums, Teams, and blog comments, as well as sending spam Convos and purchasing items from legitimate member shops. Performing these actions interferes with our members use of the marketplace and is against the spirit of our bounty program.
- If you would like to test Convos, please use dedicated test accounts only and do not message legitimate members of the site. If testing the listing process, all test listings must be removed immediately after testing.
- If you're interested in testing Listings or other Shop-related functionality, please put your shop in developer mode: https://www.etsy.com/developers/shop
- We reserve the right to mute and/or ban your test accounts if you are caught violating these guidelines.
Q) What's the bounty?
A) The reward for qualifying vulnerabilities is your name on our bug bounty page and an Etsy Security Team t-shirt! Monetary rewards are at our discretion for distinctly creative or severe bugs. If we run into you at a security conference we'll give you a high five and tell people how awesome you are.
Q) How do I report a vulnerability?
A) Please contact us using this form: https://www.etsy.com/bounty Please note that reports about fraud-related activity, account disputes, or spam are not part of the bug bounty program and should be reported here: http://www.etsy.com/help/contact?topic=99
Q) What do the lawyers think about all this?
A) This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time and the decision to pay a reward is entirely at our discretion. You must not violate any law. You also must not disrupt any service or compromise anyone’s data.
We sincerely appreciate the efforts of security researchers in keeping our community safe. The list of people who have responsibly disclosed vulnerabilities to us in the past can be found here: