Announcing the Etsy Security Bug Bounty Program

Posted by on September 11, 2012

On April 17 of this year we launched our responsible disclosure page (http://www.etsy.com/help/article/2463). At the time, our goal was to provide security researchers with a direct point of contact if they had identified a vulnerability in our site, API, or mobile application. Thus far we’ve received excellent reports from researchers, as well as some exciting offers from Nigerian princes.

Today, we’d like to take this a step further and announce the launch our security bug bounty program. Our goal is to reward security researchers who follow responsible disclosure principles and proactively reach out to us if they’ve identified a vulnerability which would impact the safety of our marketplace or members. We believe that this is industry best practice. Our bounty program will pay a minimum of $500 for qualifying vulnerabilities, subject to a few conditions and with qualification determined by the Etsy Security Team. This bounty will be increased at our discretion for distinctly creative or severe security bugs. To give it the proper Etsy feel, we’ll also be throwing in some handmade thank-you’s such as an Etsy Security Team T-shirt. Additionally, we’ll be retroactively applying the bounty to vulnerabilities that have been reported to us since the launch of our responsible disclosure page earlier this year.

You can find the full information on the new program here: http://www.etsy.com/help/article/2463

Posted by on September 11, 2012
Category: security

12 Comments

Exciting offers from Nigerian princes? Where should I send the cheque to find out more details?

Well done Etsy Security Team, now I have a reason to visit Etsy as often as my wife. 🙂

Opss.. found one in http://www.etsy.com/help/article/2463
Does that count?

[…] on the company blog, Etsy has launched a security bug bounty program that’s similar to […]

Please, visit without buying – Etsy will pay *you*!

Its all about the clicks…

(Just kidding, I’m sure this is an excellent use of Etsy’s resources.)

But keep in mind – “63% more” of bugs are really “intended effects” of some misbegotten test or other. No check for you!

[…] Announcing the Etsy Security Bug Bounty Program (Code as Craft) […]

@Disclosure: Fantastic! Please give us a shout at our security-reports mailbox and we’d love to check it out.

[…] also launched bug bounty programs, and even the crafts site Etsy got into the game recently with a program that pays not only for new bugs, but also retroactively for previously reported bugs, to thank […]

[…] we have a variety of web sites / services offering bounties: PayPal, CCBill, Facebook, Etsy, Google Gmail.com / YouTube.com / Blogger.com, and Ishar to name a […]

[…] also launched bug bounty programs, and even the crafts site Etsy got into the game recently with a program that pays not only for new bugs, but also retroactively for previously reported bugs, to thank […]