Etsy is the global marketplace for unique and creative goods. Within our markets, millions of people around the world connect, both online and offline, to make, sell and buy unique goods. We also offer a wide range of Seller Services and tools that help creative entrepreneurs start, manage and scale their businesses. Our mission is to Keep Commerce Human.
Etsy's been running a bug bounty program since 2012. Our goal is to reward security researchers who follow responsible disclosure principles and proactively reach out to us if they’ve identified a vulnerability which would impact the safety of our marketplace or members. We believe that this is industry best practice.
Please use your @bugcrowdninja.com email address to create your testing account(s). We reserve the right to delete and block test accounts that are found to be abusing our testing guidelines.
Vulnerability Exceptionssection for a list of vulnerabilities which are NOT accepted.
This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings. Changes to VRT priorities for certain bugs are listed below:
VRT Category | Adjusted Value
Stored, non-self XSS | P2
CSRF | P3/P4
No Rate Limiting on Form - Login | P5
No Rate Limiting on Form - email triggering | P5
Cross-Site Scripting - IE-only/older version | P5
Username Enumeration | P5
No Password Policy | P5
50% payouts for blog.etsy.com and community.etsy.com, other microsites on a case-by-case basis
Last updated 29 Oct 2019 18:40:58 UTC
Technical severity | Reward range
p1 Critical | $5,000 - $10,000
p2 Severe | $1,000 - $5,000
p3 Moderate | $300 - $800
p4 Low | $100 - $200
P5 submissions do not receive any rewards for this program.
Target name | Type
Any publicly facing host owned by Etsy, including the below: | Website
www.etsy.com | Website
Etsy Mobile Application (Android) | Android
Etsy Mobile Application (iPhone) | iOS
Etsy API (see documentation below) | API
icht.etsysecure.com | API
blog.etsy.com | Website
community.etsy.com | Website
Any domain/property of Etsy not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
This program is focused on vulnerabilities in Etsy's mobile & web application's. These applications are used by Etsy customers and sellers. Additionally, the developer APIs and portal is also in-scope.
Production Environment: Please note that this program scope is a production environment. With that in mind, please be sure to avoid harming infrastructure, interacting with customers, and attempting to access, manipulate, and/or attack accounts you do not explicitly own.
All in-scope target applications are publicly accessible. Credentials can be self-provisioned as needed. Please only perform testing against accounts you expressly own and control.
DO NOT use automated scanners when testing
Account Freezes: there are situations where during testing your account may be frozen due to fraud protection measures. If this happens, please reach out to email@example.com.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
|Scope Type||Scope Name|
Etsy Mobile Application (Android)
Etsy API (see documentation below)
Etsy Mobile Application (iPhone)
Any publicly facing host owned by Etsy, including the below:
This program leverage 8 scopes, in 4 scopes categories.