Etsy is the global marketplace for unique and creative goods. Within our
markets, millions of people around the world connect, both online and offline,
to make, sell and buy unique goods. We also offer a wide range of Seller
Services and tools that help creative entrepreneurs start, manage and scale
their businesses. Our mission is to Keep Commerce Human.
Etsy's been running a bug bounty program since 2012. Our goal is to reward
security researchers who follow responsible disclosure principles and
proactively reach out to us if they’ve identified a vulnerability which would
impact the safety of our marketplace or members. We believe that this is
industry best practice.
Please use your @bugcrowdninja.com email address to create your testing
account(s). We reserve the right to delete and block test accounts that are
found to be abusing our testing guidelines.
Vulnerability Guidelines & Exceptions
- Vulnerability reports MUST have a proof of concept or detailed explanation of the security issue.
- Please note the
Vulnerability Exceptions section for a list of vulnerabilities which are NOT accepted.
- Higher quality reproduction steps and reports will be a strong factor in determining a valid issue's final bounty reward amount (In general, better reports -> bigger bounty reward).
This program adheres to the Bugcrowd Vulnerability Rating
Taxonomy for the
prioritization/rating of findings. Changes to VRT priorities for certain bugs
are listed below:
VRT Category | Adjusted Value
Non self-XSS | P2
CSRF | P3/P4
No Rate Limiting on Form - Login | P5
No Rate Limiting on Form - email triggering | P5
Cross-Site Scripting - IE-only/older version | P5
Username Enumeration | P5
No Password Policy | P5
Last updated 26 Oct 2018 17:16:52 UTC
Technical severity | Reward range
p1 Critical | $1,200 - $5,000
p2 Severe | $800 - $1,000
p3 Moderate | $300 - $600
p4 Low | $100 - $200
P5 submissions do not receive any rewards for this program.
Target name | Type
www.etsy.com | Website
Etsy Mobile Application (Android) | Android
Etsy Mobile Application (iPhone) | iOS
Etsy API (see documentation below) | API
icht.etsysecure.com | API
blog.etsy.com (payouts are half for this target, and do not include vulns in
WP itself or its plugins) | Website
community.etsy.com (payouts are half for this target) | Website
Any domain/property of Etsy not listed in the targets section is out of
scope. This includes any/all subdomains not listed above.
This program is focused on vulnerabilities in Etsy's mobile & web
application's. These applications are used by Etsy customers and sellers.
Additionally, the developer APIs and portal is also in-scope.
- Unauthenticated access to users' accounts / information, especially PII (Personally Identifiable Information).
- Developer API vulnerabilities.
Production Environment: Please note that this program scope is a
production environment. With that in mind, please be sure to avoid harming
infrastructure, interacting with customers, and attempting to access,
manipulate, and/or attack accounts you do not explicitly own.
Access & Credentials:
All in-scope target applications are publicly accessible. Credentials can be
self-provisioned as needed. Please only perform testing against accounts you
expressly own and control.
Buyer and Seller Accounts
Testing payment/purchasing flow:
- Create a seller account, selling something for $1
- Create a buyer account, buying the item for $1
- As the seller, refund the purchase
- NOTE: there is a 20 cent fee (on a $1 purchase) associated with transactions for sellers - this cannot be reimbursed by Etsy. Please be cognizant of this and test accordingly.
Etsy API (v3)
- Documentation for the Etsy API: https://www.etsy.com/developers/documentation
- If you're interested in testing listings or other shop-related functionality, please put your shop in developer mode: https://www.etsy.com/developers/shop
- Please Note: Documentation may be out of date (API v2), but should still be helpful in understanding the API and expected behavior.
- Applicable to CCN, Gift Card, "In-Person" payments (mobile only).
- This is a secure payment method storage system that interacts with buyer and shop accounts.
- Documentation is not provided.
- Set your shop to developer mode here: https://www.etsy.com/developers/shop (after you register an account and complete seller onboarding). Putting your shop in developer mode hides your shop and listings in our search functionality.
- Please don't create an excessive number of accounts for testing, and please limit your test transactions to small monetary amounts (like ~$1).
- If you'd like to test convos, please use dedicated test accounts only and do not message legitimate members of the site. If testing the listing process, ensure your shop is in developer mode (see above)
- Avoid using site-wide scanners. Researchers should be using targeted scanning tools as to prevent affecting the production environment.
- Testing Payments
- Be mindful with the rate and scope of automated scanning tools.
DO NOT use automated scanners when testing .
Account Freezes: there are situations where during testing your account may be frozen due to fraud protection measures. If this happens, please reach out to email@example.com.
- Social engineering attacks of any kind.
- 3rd party systems and solutions (any resource / service not managed by Etsy).
- Spam or any other mass distribution to customers, partners, etc.
- Pulling / manipulating any user data or user accounts - during testing, researchers should not pull, change, or erase any customer data during testing.
- Customer support channels (chat, phone, email, etc.) - If you have any questions or issues while testing, please send an email to firstname.lastname@example.org.
- blog.etsy.com Bug bounty payouts are paid out half of normal. Only Etsy-specific vulnerabilities are in scope - no vulnerabilities in Wordpress itself or its plugins.
- Security reports that don't pertain to etsy.com If you're sending in a report for a domain that is not covered in the scope of our bug bounty program, we will ignore it.
- Flaws specific to out of date browsers/plugins. Learn more about up-to-date browsers here.
- Simple, non-XSS content injection. Manipulating a URL to present a page that contains custom text does not qualify for the bug bounty program.
- Logout cross-site request forgery. For more information on this issue, please refer to blog posts on the topic by Chris Evans and Michal Zalewski.
- Lack of the Secure flag on non-sensitive cookies. We provide full site SSL as a mechanism to defend against MITM (via HSTS) for sensitive session cookies. More information on this is available here: http://codeascraft.com/2012/10/09/scaling-user-security/.
- Lack of HTTPOnly flag on non-sensitive cookies. We have set the HTTPOnly flag on cookies we feel are sensitive and we do not consider the lack of HTTPOnly on other cookies to be a vulnerability.
- Username enumeration through login or password reset. While username enumeration can be a vulnerability in a number of web applications, Etsy is a public marketplace and as such usernames can be enumerated by design through a number of ways including listings, forum posts, shops, etc.
- CSRF issues submitted with a proof-of-concept containing a nonce.
This program follows Bugcrowd’s standard disclosure
This program does not offer financial or point-based rewards for P5 —
Informational findings. Learn more about Bugcrowd’s VRT.