etsybug

Etsy launches bug bounty program

Shares

It pays to hack Etsy. That is, as long as you quickly explain how you did it.

On Tuesday, the handmade marketplace launched a bug bounty program to reward security researchers for finding vulnerabilities on the site. Etsy’s security engineering manager Zane Lackey announced the reward on his blog:

“Our bounty program will pay a minimum of $500 for qualifying vulnerabilities, subject to a few conditions and with qualification determined by the Etsy Security Team. This bounty will be increased at our discretion for distinctly creative or severe security bugs.”

Lackey has also updated Etsy’s responsible disclosure page with the reward system, which will also include an Etsy Security Team T-shirt and a public thank-you message on the page.

The responsible disclosure page has been active since April 17, but before now researchers were rewarded with a public thank-you on the page. Lackey blogged that the 12 security researchers who have already reported bugs won’t be forgotten.

“[W]e’ll be retroactively applying the bounty to vulnerabilities that have been reported to us since the launch of our responsible disclosure page earlier this year,” he wrote.

The program is comparative to Facebook’s bug bounty, which rewards researchers anywhere from $500 to $40,000 for detecting flaws, or Google’s, where compensation begins at $100. Twitter is an outlier, and currently does not pay its volunteers.

Photo via Etsy