FireBounty Etsy Vulnerability Disclosure Program

Link to program

2018-03-22

2020-04-23

Thank

Gift

HOF

Reward

100 $

Etsy

Program Overview

Etsy is the global marketplace for unique and creative goods. Within our markets, millions of people around the world connect, both online and offline, to make, sell and buy unique goods. We also offer a wide range of Seller Services and tools that help creative entrepreneurs start, manage and scale their businesses. Our mission is to Keep Commerce Human.

Etsy's been running a bug bounty program since 2012. Our goal is to reward security researchers who follow responsible disclosure principles and proactively reach out to us if they’ve identified a vulnerability which would impact the safety of our marketplace or members. We believe that this is industry best practice.

Please use your @bugcrowdninja.com email address to create your testing account(s). We reserve the right to delete and block test accounts that are found to be abusing our testing guidelines.

Vulnerability Guidelines & Exceptions

Vulnerability reports MUST have a proof of concept or detailed explanation of the security issue.
Please note the Vulnerability Exceptions section for a list of vulnerabilities which are NOT accepted.
Higher quality reproduction steps and reports will be a strong factor in determining a valid issue's final bounty reward amount (In general, better reports -> bigger bounty reward). PLEASE provide clear step-by-step for replication.

Rewards

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings. Changes to VRT priorities for certain bugs are listed below:

VRT Adjustments

VRT Category	Adjusted Value
Stored, non-self XSS	P2
CSRF	P3/P4
No Rate Limiting on Form - Login	P5
No Rate Limiting on Form - email triggering	P5
Cross-Site Scripting - IE-only/older version	P5
Username Enumeration	P5
No Password Policy	P5

Payout Tiers

50% payouts for P1 and P2 submissions on blog.etsy.com and community.etsy.com, and other microsites on a case-by-case basis.

Third Party Bugs

Etsy uses a number of third-party providers and services. We cannot authorize security testing against systems that do not belong to us, but strongly suggest reporting issues identified within these services to the third-party directly.

However, if you believe an issue with one of our third-party service providers is the result of Etsy's misconfiguration or insecure usage of that service (or you've reported an issue affecting many customers of the service that you believe Etsy can temporarily mitigate without stopping usage of the service while a fix is implemented upstream), we'd appreciate your report regarding the issue.

Keep in mind that any reports regarding third-party services are rewarded on a case-by-case basis, and usually at a percentage of our normal payout.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

In Scope

Scope Type	Scope Name
android_application	Etsy Mobile Application (Android)
api	Etsy API (see documentation below)
ios_application	Etsy Mobile Application (iPhone)
undefined	Any publicly facing host owned by Etsy, including the below:
web_application	www.etsy.com
web_application	blog.etsy.com
web_application	community.etsy.com
web_application	etsypayments.com
web_application	help.etsy.com

Out of Scope

Scope Type	Scope Name
api	icht.etsysecure.com

This program leverage 10 scopes, in 5 scopes categories.