“Our goal is to reward security researchers who follow responsible disclosure principles and proactively reach out to us if they’ve identified a vulnerability which would impact the safety of our marketplace or members,” Lackey wrote. “We believe that this is industry best practice.”
“Web application vulnerabilities such as XSS, CSRF, authentication issues, remote code execution, and authorization issues are fair game, but testing for denial of service vulnerabilities and vulnerability to social engineering will not be taken into consideration,” writes Help Net Security’s Zeljka Zorz.
“Etsy will pay a minimum of $500 to qualifying bounty hunters, which may be increased at the company’s discretion where the bugs are ‘distinctly creative’ or severe,” writes ZDNet’s Michael Lee. “In keeping with the company’s spirit, it will also throw in a few handmade ‘thank-yous’ such as an Etsy Security Team T-shirt.”
“The bounty will be retroactively applied to those who have reported bugs to Etsy since the April implementation of its responsible disclosures page,” writes PCMag.com’s Stephanie Mlot. “Payments may be increased for distinctly creative or severe security bugs at the team’s discretion, Lackey said.”
“Etsy is the latest in a string of companies including Google, Mozilla, Facebook and Samsung prepared to shell out for privately-disclosed vulnerabilities,” notes SC Magazine’s Darren Pauli. “PayPal began offering a similar option in June after the company’s chief security officer Michael Barrett changed his tune on paying for vulnerabilities. Google paid out $2 million in bounties at the Malaysian Hack in the Box conference, including $60,000 for researchers who pull off a ‘full Chrome exploit,’ which involves an attack that leverages only vulnerabilities in the Chrome browser.”