Responsibly Disclosing Security Vulnerabilities

If you're an Etsy member who'd like to report fraud-related activity, account disputes, or spam, please contact Etsy Support by clicking the link at the bottom of this page.

For reporting a spoof or phishing email, please contact spoof@etsy.com.

For professional security researchers

What's a valid bug?

Web application vulnerabilities such as XSS, CSRF, SQLi, authentication issues, remote code execution, and authorization issues are considered valid bugs. The vulnerability must be in the main www.etsy.com site, the etsy.com API, www.etsystudio.com, www.patternbyetsy.com, or the official Etsy mobile applications.

Note that systems we do not control (such as links/redirects to third-party sites, or CDNs) are excluded from the scope of the bounty. You must be the first person to responsibly disclose the bug to us, you must have found the vulnerability yourself, and you must follow responsible disclosure principles of giving us a reasonable time to address the issue before you make any information public.

What's not a valid bug?

Although we review each submission on a case-by-case basis, the following are some of the issues that typically do not meet the requirements of our bounty program:

  • Best practices. We don't accept submissions that are simply configuration/policy suggestions.

  • Output from automated tools without a proof of concept. Output that is copied from websites like ssllabs.org or vulnerability scanners without a proof-of-concept usually contain a lot of false positives.

  • Security reports that don't pertain to etsy.com If you're sending in a report for a domain that is not covered in the scope of our bug bounty program, we will ignore it.

  • Flaws specific to out of date browsers/plugins. Learn more about up-to-date browsers here.

  • Simple, non-XSS content injection. Manipulating a URL to present a page that contains custom text does not qualify for the bug bounty program.

  • Logout cross-site request forgery. For more information on this issue, please refer to blog posts on the topic by Chris Evans and Michal Zalewski.

  • Lack of the Secure flag on non-sensitive cookies. We provide full site SSL as a mechanism to defend against MITM (via HSTS) for sensitive session cookies. More information on this is available here: http://codeascraft.com/2012/10/09/scaling-user-security/.

  • Lack of HTTPOnly flag on non-sensitive cookies. We have set the HTTPOnly flag on cookies we feel are sensitive and we do not consider the lack of HTTPOnly on other cookies to be a vulnerability.

  • Username enumeration through login or password reset. While username enumeration can be a vulnerability in a number of web applications, Etsy is a public marketplace and as such usernames can be enumerated by design through a number of ways including listings, forum posts, shops, etc.

  • CSRF issue submitted with a proof-of-concept containing a nonce.

Things to be aware of while testing

  • Please do not test for spam, social engineering, or denial of service issues.

  • Due to the nature of our marketplace, please do not use automated scanners without a narrow scoping. Running automated scanners across the entire site can result in spam in the Forums, Teams, and blog comments. Automated scanners can also send spam convos and purchase items from legitimate Etsy shops. In addition, please note that we have automated blocking mechanisms in place to catch scanners, which will prevent you from accessing the site or submitting bounties to us using the bounty submission form for a full day. Performing these actions interferes with our members' use of the marketplace and is against the spirit of our bounty program.

  • If you'd like to test convos, please use dedicated test accounts only and do not message legitimate members of the site. If testing the listing process, all test listings must be removed immediately after testing.

  • We reserve the right to mute and/or ban your test accounts if you are caught violating these guidelines.

  • Please don't create an excessive number of accounts for testing, and please limit your test transactions to small monetary amounts (less than $1).

Bounty report evaluations

The Etsy Security team evaluates each bounty report as they come in. We often received duplicate reports for issues that are pending fixes, so we look first to see if your issue has already been reported.

If it's not a duplicate report, issues that are not immediately disqualified for the bounty based on the above criteria (such as scope, issues that don't qualify, etc.) are tested to see if the issue can be recreated. If we can't recreate the issue, we'll reach out to you via email for more details.

We then determine if this report constitutes an actual security issue that needs to be fixed, as opposed to a normal functionality bug.

If your report meets the above criteria, we will email you to let you know that we've accepted your bounty, and we'll start working on a fix for this issue.

The bounty

The reward for qualifying vulnerabilities is your name on our bug bounty page and an Etsy Security Team t-shirt! Monetary rewards are at our discretion for distinctly creative or severe bugs. If we run into you at a security conference we'll give you a high five and tell people how awesome you are. 

Reporting a vulnerability 

Please contact us using this form: https://www.etsy.com/bounty 

Keep in mind that reports about fraud-related activity, account disputes, or spam are not part of the bug bounty program. For these types of issues, please contact Etsy Support.

Please do not contact Etsy employees regarding your bounty submission. We reserve the right to refuse or revoke membership to the program at any time for any reason.

Taxes and restrictions

This program is not open to minors, individuals on sanctions lists, or individuals in countries on sanctions lists. You are responsible for any tax implications or additional restrictions depending on your country and local law.

We reserve the right to cancel this program at any time and the decision to pay a reward is entirely at our discretion. You must not violate any law. You also must not disrupt any service or compromise anyone’s data. This includes moving beyond a "proof-of-concept" for issue reproduction, examples of which include dumping databases if you find SQLi, screenshotting a user's browser desktop if you have XSS, exfiltrating auth cookies, etc.

We sincerely appreciate the efforts of security researchers in keeping our community safe. The list of people who have responsibly disclosed vulnerabilities to us in the past can be found here.

Was this article helpful?

Still have questions?

Contact support