How do I disclose security vulnerabilities responsibly?
For Etsy Members:
For reporting fraud-related activity, account disputes, or spam please use this contact form: http://www.etsy.com/help/contact?topic=99
For reporting a spoof or phishing email, please contact: firstname.lastname@example.org
For Professional Security Researchers
We genuinely appreciate the efforts of security researchers, and offer a bounty for certain security bugs per the qualifications below:
Q) What's a valid bug?
A) Web application vulnerabilities such as XSS, CSRF, SQLi, authentication issues, remote code execution, and authorization issues. The vulnerability must be in the main www.etsy.com site, the etsy.com API, or the official Etsy mobile applications. Note that systems we do not control (such as links/redirect to 3rd party sites, or CDNs) are excluded from the scope of the bounty. You must be the first person to responsibly disclose the bug to us, you must have found the vulnerability yourself, and you must follow responsible disclosure principles of giving us a reasonable time to address the issue before you make any information public.
Q) What's not a valid bug?
A) Although we review each submission on a case-by-case basis, the following are some of the issues which typically do not meet the requirements of our bounty program:
- Flaws specific to out of date browsers/plugins. Amongst others, this encompasses versions of Internet Explorer prior to version 8.
- Logout cross-site request forgery. For more information on this issue, please refer to blog posts on the topic by Chris Evans and Michal Zalewski.
- Lack of the Secure flag on non-sensitive cookies. We provide full site SSL as an opt-in mechanism to defend against MITM (via HSTS) while we're working towards releasing full site SSL for all users. More information on this is available here: http://codeascraft.com/2012/10/09/scaling-user-security/.
- Lack of HTTPOnly flag on non-sensitive cookies. We have set the HTTPOnly flag on cookies we feel are sensitive and we do not consider the lack of HTTPOnly on other cookies to be a vulnerability.
- Username enumeration through login or password reset. While username enumeration can be a vulnerability in a number of web applications, Etsy is a public marketplace and as such usernames can be enumerated by design through a number of ways including listings, forum posts, shops, etc.
Q) What should I be aware of when testing?
A) There are a few things that we would greatly appreciate you keep in mind when testing:
- Please do not test for spam, social engineering, or denial of service issues.
- Due to the nature of our marketplace, please do not use automated scanners without a narrow scoping. Automated scanners when run across the entire site result in spam in the Forums, Teams, and blog comments, as well as sending spam Convos and purchasing items from legitimate member shops. Performing these actions interferes with our members use of the marketplace and is against the spirit of our bounty program.
- If you would like to test Convos, please use dedicated test accounts only and do not message legitimate members of the site. If testing the listing process, all test listings must be removed immediately after testing.
- If you're interested in testing Listings or other Shop-related functionality, please put your shop in developer mode: https://www.etsy.com/developers/shop
- We reserve the right to mute and/or ban your test accounts if you are caught violating these guidelines.
Q) What's the bounty?
A) The reward for qualifying vulnerabilities is your name on our bug bounty page and an Etsy Security Team t-shirt! Monetary rewards are at our discretion for distinctly creative or severe bugs. If we run into you at a security conference we'll give you a high five and tell people how awesome you are.
Q) How do I report a vulnerability?
A) Please contact us using this form: https://www.etsy.com/help/bounty Please note that reports about fraud-related activity, account disputes, or spam are not part of the bug bounty program and should be reported here: http://www.etsy.com/help/contact?topic=99
Q) What do the lawyers think about all this?
A) This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time and the decision to pay a reward is entirely at our discretion. You must not violate any law. You also must not disrupt any service or compromise anyone’s data.
We sincerely appreciate the efforts of security researchers in keeping our community safe. The following people have responsibly disclosed vulnerabilities to us in the past:
Neal Poole - @NealPoole
Ben Hayak - @BenHayak
James Golick - @jamesgolick
Ari Rubinstein - @arirubinstein
Elvin Gentiles - @elvinguitar
Kamil Sevi - @kamilsevi
Ashar Javed - @soaj1664ashar
Avram Marius Gabriel - (randomstorm.com)
Shai Rod - @NightRang3r
Pepe Vila - @cgvwzq
Nir Goldshlager - @NirGoldshlager
Ryan Cirillo - @ryancirillo
Roman Shafigullin - (shafigullin.pro)
Mateusz Goik - (www.aliantsoft.pl)
Mauro Gentile - @sneak_
Milad Bahari Rad - @milad_bahari
Johnathan Kuskos - @JohnathanKuskos
Amir Etemadieh of Accuvant LABS - @Zenofex
Szymon Gruszecki - @szgru
João Lucas Melo Brasio - (whitehathackers.com.br) (dotfivelabs.com.br)
Jack W - (fin1te.net)
Claudio Salazar - @spectresearch
Frans Rosén - (www.detectify.com)
Alex Davies - (pwndizzle.blogspot.com
Mohamed Ramadan - (Attack-Secure.com)
Emanuel Bronshtein - @e3amn2l
Yogesh Jaygadkar - (www.jaygadkar.com)
Rakan Alotaibi - @hxteam
Piaca - @piapiacaca
Sergey Bobrov of Positive Technologies - (www.ptsecurity.com)
Semen Rozhkov of Positive Technologies - (www.ptsecurity.com)
Malte Batram - @_batram
Hassan El Hadary
Neil Bergman of Cigital
Prashant Negi - @prashantnegi_
Muhammad Waqar - @MuhammadWaqar_9
Mike Czumak - @SecuritySift
TurkSec Group - @TurkGuvenligi
Matteo Neri - @nmatte90
Sasi Levi - @sasi2103
Nitesh Shilpkar - @NiteshShilpkar
Krutarth Shukla - @KrutarthShukla (krutarthshukla.com)
Rishiraj Sharma (R3DKill_ER) - @ehrishiraj
Atulkumar Hariba Shedage - @atul_shedage
Umer Shakil - @umer_djzz
Ali Hasan Ghauri - @alihasanghauri
Manish Bhattacharya - @umenmactech
Mukesh Dhama & Ravindra Singh Rathore
Dawn Isabel of HP Fortify ShadowLabs - @dawnisabel
José Luís Zayas Banderas - (www.axarnet.es)
Osanda Malith Jayathissa - @OsandaMalith
Akhil Reni - @akhil_reni
Abhibandu Kafle - @kabhi_kav
Allan Jay Tomol - (facebook.com/atomtheman)
Michael Henriksen - @michenriksen
Mikko Carreon - (facebook.com/mikkz.mikko)
Prayas Kulshrestha - @prayas_prayas
Ajay Negi - (www.websecresearch.com)
Prashant Singh Negi - @prashantnegi_
Mahipal Singh Rajpurohit - @rajgurumahi007
Sachin Thakuri - @sachinnthakuri
Srikanth Yandava - @nani1337
s3f4 - @s3cf4
Vedachala - @vedachalaka
Harsha Vardhan Boppana - @hvboppana
Jayson Zabate - (jaysonzabate.com)
Nitin Goplani - (linkedin.com/in/nitingoplani)
Dhaval Chauhan - @17haval
Anand Prakash - @sehacure
Edis Konstantini - @EdisKonstantini
Rohan Durve from Dionach - (141.io)
Narendra Bhati (R00t Sh3ll) - @NarendraBhatiB
Prakhar Prasad (https://prakharprasad.com)
Shahmeer Amir (https://www.maadssec.com/)