Announcing the Etsy Security Bug Bounty Program

Posted by Zane Lackey on September 11, 2012

On April 17 of this year we launched our responsible disclosure page (http://www.etsy.com/help/article/2463). At the time, our goal was to provide security researchers with a direct point of contact if they had identified a vulnerability in our site, API, or mobile application. Thus far we’ve received excellent reports from researchers, as well as some exciting offers from Nigerian princes.

Today, we’d like to take this a step further and announce the launch our security bug bounty program. Our goal is to reward security researchers who follow responsible disclosure principles and proactively reach out to us if they’ve identified a vulnerability which would impact the safety of our marketplace or members. We believe that this is industry best practice. Our bounty program will pay a minimum of $500 for qualifying vulnerabilities, subject to a few conditions and with qualification determined by the Etsy Security Team. This bounty will be increased at our discretion for distinctly creative or severe security bugs. To give it the proper Etsy feel, we’ll also be throwing in some handmade thank-you’s such as an Etsy Security Team T-shirt. Additionally, we’ll be retroactively applying the bounty to vulnerabilities that have been reported to us since the launch of our responsible disclosure page earlier this year.

You can find the full information on the new program here: http://www.etsy.com/help/article/2463