How do I disclose security vulnerabilities responsibly?
For Etsy Members:
For reporting fraud-related activity, account disputes, or spam please use this contact form: http://www.etsy.com/help/contact
For reporting a spoof or phishing email, please contact: email@example.com
For Professional Security Researchers
Q) What's a valid bug?
A) Web application vulnerabilities such as XSS, CSRF, SQLi, authentication issues, remote code execution, and authorization issues. The vulnerability must be in the main www.etsy.com site, the etsy.com API, or the official Etsy mobile applications. Note that systems we do not control (such as links/redirect to 3rd party sites, or CDNs) are excluded from the scope of the bounty. You must be the first person to responsibly disclose the bug to us, you must have found the vulnerability yourself, and you must follow responsible disclosure principles of giving us a reasonable time to address the issue before you make any information public.
Q) What's not a valid bug?
A) Although we review each submission on a case-by-case basis, the following are some of the issues which typically do not meet the requirements of our bounty program:
- Best practices. We don't accept submissions that are simply configuration/policy suggestions.
- Output from automated tools without a proof of concept. Output that is copied from websites like ssllabs.org or vulnerability scanners without a proof-of-concept usually contain a lot of false positives.
- Security reports that don't pertain to etsy.com If you're sending in a report for a domain that is not covered in the scope of our bug bounty program, we will ignore it.
- Flaws specific to out of date browsers/plugins. Amongst others, this encompasses versions of Internet Explorer prior to version 8.
- Logout cross-site request forgery. For more information on this issue, please refer to blog posts on the topic by Chris Evans and Michal Zalewski.
- Lack of the Secure flag on non-sensitive cookies. We provide full site SSL as a mechanism to defend against MITM (via HSTS) for sensitive session cookies. More information on this is available here: http://codeascraft.com/2012/10/09/scaling-user-security/.
- Lack of HTTPOnly flag on non-sensitive cookies. We have set the HTTPOnly flag on cookies we feel are sensitive and we do not consider the lack of HTTPOnly on other cookies to be a vulnerability.
- Username enumeration through login or password reset. While username enumeration can be a vulnerability in a number of web applications, Etsy is a public marketplace and as such usernames can be enumerated by design through a number of ways including listings, forum posts, shops, etc.
Q) What should I be aware of when testing?
A) There are a few things that we would greatly appreciate you keep in mind when testing:
- Please do not test for spam, social engineering, or denial of service issues.
- Due to the nature of our marketplace, please do not use automated scanners without a narrow scoping. Automated scanners when run across the entire site result in spam in the Forums, Teams, and blog comments, as well as sending spam Convos and purchasing items from legitimate member shops. Performing these actions interferes with our members use of the marketplace and is against the spirit of our bounty program.
- If you would like to test Convos, please use dedicated test accounts only and do not message legitimate members of the site. If testing the listing process, all test listings must be removed immediately after testing.
- If you're interested in testing Listings or other Shop-related functionality, please put your shop in developer mode: https://www.etsy.com/developers/shop
- We reserve the right to mute and/or ban your test accounts if you are caught violating these guidelines.
- Please don't create an excessive number of accounts for testing, and please limit your test transactions to small monetary amounts (less than $1)
Q) How is my bounty report evaluated?
A) The Etsy security team evaluates each bounty report as they come in. We often received duplicate reports for issues that are pending fixes, so we look first to see if your issue has already been reported. If it's not a duplicate report, issues that are not immediately disqualified for the bounty based on the above criteria (such as scope, issues that don't qualify, etc) are tested to see if the issue can be recreated. If we can't recreate the issue, we'll reach out to you for more details via e-mail. We then determine if this report constitutes an actual security issue that needs to be fixed (as opposed to a normal functionality bug).
If your report meets the above criteria, we will e-mail you to let you know that we've accepted your bounty, and start working on a fix for this issue.
Q) What's the bounty?
A) The reward for qualifying vulnerabilities is your name on our bug bounty page and an Etsy Security Team t-shirt! Monetary rewards are at our discretion for distinctly creative or severe bugs. If we run into you at a security conference we'll give you a high five and tell people how awesome you are.
Q) How do I report a vulnerability?
A) Please contact us using this form: https://www.etsy.com/bounty Please note that reports about fraud-related activity, account disputes, or spam are not part of the bug bounty program and should be reported here: http://www.etsy.com/help/contact?topic=99
Q) What do the lawyers think about all this?
A) This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time and the decision to pay a reward is entirely at our discretion. You must not violate any law. You also must not disrupt any service or compromise anyone’s data.
We sincerely appreciate the efforts of security researchers in keeping our community safe. The list of people who have responsibly disclosed vulnerabilities to us in the past can be found here: