submit bug report:https://bugcrowd.com/etsyEtsy is the global marketplace for unique and creative goods. Within our markets, millions of people around the world connect, both online and offline, to make, sell and buy unique goods. We also offer a wide range of Seller Services and tools that help creative entrepreneurs start, manage and scale their businesses. Our mission is to Keep Commerce Human.
Etsy's been running a bug bounty program since 2012. Our goal is to reward security researchers who follow responsible disclosure principles and proactively reach out to us if they’ve identified a vulnerability which would impact the safety of our marketplace or members. We believe that this is industry best practice.
Vulnerability Guidelines & Exceptions
Vulnerability reports MUST have a proof of concept or detailed explanation of the security issue.
Please note the Vulnerability Exceptions section for a list of vulnerabilities which are NOT accepted.
Higher quality reproduction steps and reports will be a strong factor in determining a valid issue's final bounty reward amount (In general, better reports -> bigger bounty reward). PLEASE provide clear step-by-step for replication.
Rewards
This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings. Changes to VRT priorities for certain bugs are listed below:
VRT Adjustments
VRT Category Adjusted Value
Stored, non-self XSS P2
CSRF P3/P4
No Rate Limiting on Form - Login P5
No Rate Limiting on Form - email triggering P5
Cross-Site Scripting - IE-only/older version P5
Username Enumeration P5
No Password Policy P5
Payout Tiers
50% payouts for P1 and P2 submissions on blog.etsy.com and community.etsy.com, and other microsites on a case-by-case basis.
Third Party Bugs
Etsy uses a number of third-party providers and services. We cannot authorize security testing against systems that do not belong to us, but strongly suggest reporting issues identified within these services to the third-party directly.
However, if you believe an issue with one of our third-party service providers is the result of Etsy's misconfiguration or insecure usage of that service (or you've reported an issue affecting many customers of the service that you believe Etsy can temporarily mitigate without stopping usage of the service while a fix is implemented upstream), we'd appreciate your report regarding the issue.
Keep in mind that any reports regarding third-party services are rewarded on a case-by-case basis, and usually at a percentage of our normal payout.
Focus Areas
This program is focused on vulnerabilities in Etsy's mobile & web applications. These applications are used by Etsy customers and sellers. Additionally, the developer APIs and portal is also in-scope.
Unauthenticated access to users' accounts / information, especially PII (Personally Identifiable Information).
Developer API vulnerabilities.
Production Environment: Please note that this program scope is a production environment. With that in mind, please be sure to avoid harming infrastructure, interacting with customers, and attempting to access, manipulate, and/or attack accounts you do not explicitly own.
Access & Credentials:
All in-scope target applications are publicly accessible. Credentials can be self-provisioned as needed. Please only perform testing against accounts you expressly own and control.
Buyer and Seller Accounts
Seller Shop Sign-Up:
https://www.etsy.com/your/shop/create?us_sell_create_valuePlease Note: when registering a Seller Shop, there is bank account and credit card number verification.
Buyer Sign-Up:
https://www.etsy.comTesting payment/purchasing flow:
Create a seller account, selling something for $1
Create a buyer account, buying the item for $1
As the seller, refund the purchase
NOTE: there is a 20 cent fee (on a $1 purchase) associated with transactions for sellers - this cannot be reimbursed by Etsy. Please be cognizant of this and test accordingly.
Target Information
Mobile Applications
Android:
https://play.google.com/store/apps/details?id=com.etsy.android&hl=eniPhone:
https://itunes.apple.com/us/app/etsy-shop-creative/id477128284?mt=8
Etsy API (v3)
Documentation for the Etsy API:
https://www.etsy.com/developers/documentationIf you're interested in testing listings or other shop-related functionality, please put your shop in developer mode:
https://www.etsy.com/developers/shopPlease Note: Documentation may be out of date (API v2), but should still be helpful in understanding the API and expected behavior.
etsypayments.com
Applicable to credit card and gift card payments.
This is a secure payment method storage system that interacts with buyer and shop accounts.
Documentation is not provided.
help.etsy.com
Primarily interested in findings introduced by Etsy customizations
Zendesk-wide bugs will be accepted on a case-by-case basis
Testing Guidelines:
Set your shop to developer mode here:
https://www.etsy.com/developers/shop (after you register an account and complete seller onboarding). Putting your shop in developer mode hides your shop and listings in our search functionality.
Please don't create an excessive number of accounts for testing, and please limit your test transactions to small monetary amounts (like ~$1).
If you'd like to test convos, please use dedicated test accounts only and do not message legitimate members of the site. If testing the listing process, ensure your shop is in developer mode (see above)
Avoid using site-wide scanners. Researchers should be using targeted scanning tools as to prevent affecting the production environment.
Testing Payments
Be mindful with the rate and scope of automated scanning tools.
DO NOT use automated scanners when testing etsypayments.com.
Account Freezes: there are situations where during testing your account may be frozen due to fraud protection measures. If this happens, please reach out to support@bugcrowd.com.
Out-of-Scope
DoS/DDoS
3rd party systems and solutions (any resource / service not managed by Etsy).
Spam or any other mass distribution to customers, partners, etc.
Pulling / manipulating any user data or user accounts - during testing, researchers should not pull, change, or erase any customer data during testing.
Customer support channels (chat, phone, email, etc.) - If you have any questions or issues while testing, please send an email to support@bugcrowd.com.
blog.etsy.com Bug bounty payouts are paid out half of normal. Only Etsy-specific vulnerabilities are in scope - no vulnerabilities in Wordpress itself or its plugins.
IDOR
All Etsy APIs
Any pending submissions submitted before the out of scope changes will be reviewed and processed accordingly.
