45466 policies in database
Link to program      
2018-03-22
2020-04-23
Etsy logo
Thank
Gift
HOF
Reward

Reward

100 $ 

Etsy

Program Overview

Etsy is the global marketplace for unique and creative goods. Within our markets, millions of people around the world connect, both online and offline, to make, sell and buy unique goods. We also offer a wide range of Seller Services and tools that help creative entrepreneurs start, manage and scale their businesses. Our mission is to Keep Commerce Human.

Etsy's been running a bug bounty program since 2012. Our goal is to reward security researchers who follow responsible disclosure principles and proactively reach out to us if they’ve identified a vulnerability which would impact the safety of our marketplace or members. We believe that this is industry best practice.

Please use your @bugcrowdninja.com email address to create your testing account(s). We reserve the right to delete and block test accounts that are found to be abusing our testing guidelines.

Vulnerability Guidelines & Exceptions

  • Vulnerability reports MUST have a proof of concept or detailed explanation of the security issue.
  • Please note the Vulnerability Exceptions section for a list of vulnerabilities which are NOT accepted.
  • Higher quality reproduction steps and reports will be a strong factor in determining a valid issue's final bounty reward amount (In general, better reports -> bigger bounty reward). PLEASE provide clear step-by-step for replication.

Rewards

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings. Changes to VRT priorities for certain bugs are listed below:

VRT Adjustments

VRT Category Adjusted Value
Stored, non-self XSS P2
CSRF P3/P4
No Rate Limiting on Form - Login P5
No Rate Limiting on Form - email triggering P5
Cross-Site Scripting - IE-only/older version P5
Username Enumeration P5
No Password Policy P5

Payout Tiers

50% payouts for P1 and P2 submissions on blog.etsy.com and community.etsy.com, and other microsites on a case-by-case basis.

Third Party Bugs

Etsy uses a number of third-party providers and services. We cannot authorize security testing against systems that do not belong to us, but strongly suggest reporting issues identified within these services to the third-party directly.

However, if you believe an issue with one of our third-party service providers is the result of Etsy's misconfiguration or insecure usage of that service (or you've reported an issue affecting many customers of the service that you believe Etsy can temporarily mitigate without stopping usage of the service while a fix is implemented upstream), we'd appreciate your report regarding the issue.

Keep in mind that any reports regarding third-party services are rewarded on a case-by-case basis, and usually at a percentage of our normal payout.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

In Scope

Scope Type Scope Name
android_application

Etsy Mobile Application (Android)

api

Etsy API (see documentation below)

ios_application

Etsy Mobile Application (iPhone)

undefined

Any publicly facing host owned by Etsy, including the below:

web_application

www.etsy.com

web_application

blog.etsy.com

web_application

community.etsy.com

web_application

etsypayments.com

web_application

help.etsy.com

Out of Scope

Scope Type Scope Name
api

icht.etsysecure.com


This program leverage 10 scopes, in 5 scopes categories.

FireBounty © 2015-2024

Legal notices | Privacy policy