A clear, concise bug bounty report helps us research and verify your issue as being valid. In addition, better write-ups and proofs-of-concept often receive higher rewards from us.
How to report a security issue
If you don't already have one, please create an account on Etsy.com.
Registering for an account helps us maintain a correspondence with you throughout the bug bounty submission process, and also helps us keep track of accounts you use for testing purposes. Submitting a bug bounty from an account that you've used to test the issue also helps give us more context for reproducing the issue you've reported.
Write down the issue
Bug bounty submissions require:
- A title
- A summary: a free-form description of the issue
- Some steps you took to recreate the issue: a list of the exact steps you took
- The impact: in your own words, a description of what an attacker could do with this issue
Let's say you found a bug that allows an attacker to embed a cross-site scripting attack when updating the "about" field for your user profile. Normally the endpoint accepts plaintext, but the server does not validate input. If a visitor browses to a page that makes that API call to retrieve that user's profile information, it will retrieve the information via an ajax call and display it on the page unmodified. An attacker can insert a cross-site scripting attack in their profile and use it to read the session cookies for anyone visiting their profile. A good subject line for this issue could be "Cross-Site Scripting when updating your profile via the API."
Recreate the issue.
Reproducing the issue is important for us to be able to verify that it's a real issue that qualifies for the bug bounty. For our example cross-site scripting bug that we've described above, the description to recreate the issue could look like this:
- Sign in to your Etsy account.
- Go to https://www.etsy.com/your/profile.
- Start an intercepting proxy.
- Submit a request on etsy.com/your/profile, and capture the request.
- The POST request field "about" should be changed to include a cross-site scripting vector (something like ), and the request should be allowed to continue.
- The edit page should show your cross-site scripting attack on the page.
- Sign out and in as a different user and visit the first user's profile page at https://www.etsy.com/people/firstuser
- The POST request field "about" should be changed to include a cross-site scripting vector (something like ), and the request should be allowed to continue.
Sending us the URLs and parameters involved in the requests (such as /your/profile and the about field in our example bounty) helps us recreate your bounty issue, which is often why most successful bounties use an interception proxy like Burp. Although proxies often give a great deal of insight into how the server is handling requests, we ask that you refrain from making speculative guesses on what's going on and instead focus on enumerating the steps needed to recreate the issue.
Note the impact of your issue
Sometimes an issue requires some interaction by the victim in order to trigger. There's a big difference between social engineering that requires a victim to visit a custom webpage that looks like Etsy, and one that simply requires them to visit the page to be victimized (like in our above cross-site scripting example). In general, Etsy will not honor bounties that require extensive social engineering, and we value impact descriptions that give a straightforward description of the damage that can be done (for example, reading in a user's session cookies).
Provide additional evidence and proof
Video and screenshots demonstrating your issue can be useful in helping us assess your bounty.
Here are some guidelines for your videos:
- Keep them short and to the point.
- Make sure they're uploaded to a reputable video hosting site.
- Keep the video private.
It's a good idea to include additional details, such as the date and version information for the mobile apps.
We also highly value reports that note proper ways to fix the issues they describe, and this along with the rest of the quality of your report factors into your potential bounty payout.
Qualities of a good bounty
Good bounties:
- Tend to have an easy-to-follow, step-by-step methodology for reproducing the issue
- Don't have unnecessary details in the report
- Contain a simple proof-of-concept or attack vector that gets the job done
- Are checked for grammatical errors and bad spelling
- Contain a private video link, photos, or other evidence hosted on a website like Youtube, Dropbox, etc that is helpful to reproduce the issue
- Offer an interesting exploitation/proof of concept scenario to outline the potential impact of an issue
- Are reported using the Etsy bug bounty form
Bad bounties:
- Have proofs-of-concept that are straight up copy-pasted from websites or are pages-long output from a scanning tool
- Reference issues that are copied and pasted without any changes from other bug bounty websites
- Are written in a rude, demanding tone of voice
- Contain a public video link, poor quality video/photos that make it hard to follow what is happening, or are hosted on a non-reputable website
- Make unreasonable claims about the impact of a security issue
- Are sent in to different Etsy.com email addresses instead of reporting them using the Etsy bug bounty form
What tools should I use?
We've generally found that scanning tools and reports sent in from scanning tools tend to mostly produce false positives. Interception tools like burp proxy are very useful in both finding and for keeping track of URLs and parameters you've manipulated when testing for issues. In general, we've found that keeping an open mind and thinking about the different ways functionality can be misused can be helpful when discovering new security issues.
Getting paid
We encourage you to read our bug bounty Help page to review the guidelines and get a better understanding of what constitutes a valid security bug and what doesn't.
The impact of a security issue primarily drives the bounty reward a researcher can expect. Issues that have a secondary impact that a researcher may not initially realize or have a larger potential risk to members will also tend to be more highly rewarded. For two issues with equal impact, we will usually pay both issues around the same amount, but the report with a better write-up/proof of concept will tend to get a slightly higher bounty reward.
Good luck, bug hunters!