Etsy Security Bug Bounty

DID YOU FIND A SECURITY BUG ON ETSY? GREAT.

A clear, concise bug bounty report helps us research and confirm the validity of the issue being reported. A well written diagnosis and proof of concept will receive a higher reward from the review committee.

We'll take a look at the steps required in submitting a bug bounty and offer some helpful tips and suggestions to help improve the likelihood of your issue being accepted for a bounty, as well as your experience with the Etsy bug bounty program.

How to Report A Security Issue

Create an account on Etsy.com

Creating an account helps us maintain correspondence with you throughout the bug bounty submission process. It also helps us keep track of your test accounts. Submitting a bug bounty from an account that you've used to test the issue will give us more context when reproducing the issue you've reported.

Explain the issue & impact

Bug bounty submissions must include the following details:

  • Title
  • Summary- a free form description of the issue
  • The exact steps you took to recreate the issue
  • The impact-- in your own words, please include a description of what an attacker could do to exploit this issue

For example, let's say you found a bug that allows an attacker to embed a cross-site scripting attack when updating the "about" field for a user profile. Normally the endpoint accepts plaintext, but the server does not validate input. If a visitor browses to a page that makes that API call to retrieve that user's profile information, it will retrieve the information via an ajax call and display it on the page unmodified. An attacker can insert a cross-site scripting attack in their profile and use it to read the session cookies for anyone visiting their profile. A good subject line for this issue could be "Cross-Site Scripting when updating your profile via the API".

Recreating the issue

Reproducing the issue you've submitted is critical for us to verify that it's a real issue that qualifies for the bug bounty. For the example cross-site scripting bug above, the description of the steps to recreate the issue could look like this:

  • Log into your www.etsy.com account
  • Browse to www.etsy.com/your/profile
  • Start an intercepting proxy
  • Submit a request on etsy.com/your/profile, and capture the request
  • The POST request field "about" should be changed to include a cross-site scripting vector (e.g. something like ), and the request should be allowed to continue
  • The edit page should show your cross-site scripting attack on the page.
  • Log out and log in as a different user, and visit the first user's profile page at www.etsy.com/people/firstuser

Sending us the URLs and parameters involved in the requests (such as /your/profile and the about field in our example bounty) is very useful in helping us recreate your bounty issue, which is often why most successful bounties to our bounty program use an interception proxy like (Burp)[https://portswigger.net/burp/proxy.html] or (Charles proxy)[http://www.charlesproxy.com]. Although proxies often give a great deal of insight into how the server is handling requests, we ask that you refrain from making speculative guesses on what's going on and instead focus on enumerating the steps required to recreate the issue.

Additional evidence and proof

Video and screenshots demonstrating your issue can be useful in helping us assess your bounty, but we ask that you keep any videos 1) short and to the point, 2) uploaded to a reputable video hosting website such as youtube.com, and that you 3) keep the video private. Including other information such as the date and version information for the mobile apps can also be very helpful in your bounty submission.

Note the impact of your issue

Sometimes, an issue requires some interaction by the victim in order to trigger. There's a big difference between social engineering that requires a victim to visit a custom webpage that looks like Etsy, and one that simply requires them to visit the page to be victimized (like in our above cross-site scripting example). In general, the Etsy bug bounty will not honor bounties that require extensive social engineering. We value impact descriptions that give a straightforward description of the damage that can be done (for example, reading in a user's session cookies, harvesting sensitive user information, etc).

We also highly value reports that note proper ways to fix the issues they describe.This along with a high quality report factors into your potential bounty payout.

What Makes a Good or Bad bounty?

Good Bounties...

  • Provide an easy-to-follow, step-by-step methodology for reproducing the issue
  • Contain a simple proof-of-concept or attack vector
  • Are checked for grammatical errors and bad spelling
  • Contain a private video link, screen shots, or other visual evidence hosted on a website like youtube, dropbox, etc.
  • Offer a compelling exploitation or proof of concept scenario to outline the potential impact of an issue
  • Are reported using the Etsy bug bounty form

Bad Bounties...

  • Have proof-of-concepts that are copied directly from websites, or are pages-long output from a scanning tool
  • Include unnecessary or gratuitous details
  • Reference issues that are copied and pasted from other bug bounty websites
  • Are written in a rude, demanding tone of voice
  • Contain a public video link, poor quality video/photos that make it difficult to follow what is happening, or are hosted on a non-reputable website.
  • Make unreasonable claims about the impact of a security issue
  • Are sent to Etsy.com e-mail addresses instead of reporting them using the Etsy bug bounty form

Getting Paid

Are you reporting a valid issue?

We encourage you to read our bug bounty FAQ page to review the guidelines and get a better understanding of what constitutes a valid security bug and what doesn't: https://www.etsy.com/help/article/2463.

Communicating With Us

Sometimes you may receive back responses to your report that may seem simplistic. We ask that you be patient with us so that we can reproduce your issue faster and expedite the overall bounty process.

How Much Payout Can I Expect?

The impact of a security issue primarily drives the bounty reward. Issues that have a secondary impact that a researcher may not initially realize or have a larger potential risk to members will also tend to be rewarded better. In general, a higher quality write up and proof of concept will be rewarded with a higher payout.

What tools should I use?

We've generally found that scanning tools and reports sent in from scanning tools tend to mostly produce false positives. Interception tools like burp proxy are very useful in both finding and for keeping track of urls and parameters you've manipulated when testing for issues. In general, we've found that keeping an open mind and thinking about the different ways functionality can be mis-used can be helpful when discovering new security issues.

We hope this guide serves as a useful resource in helping you hunt for bugs on Etsy.

Good luck, bug hunters!

Looking for more information on our bug bounty?

Check the Bug Bounty FAQ
How To Write a Great Bug Bounty Report
Submit a Bug Bounty To Us!