Etsy joins bug bounty crew

By on
Etsy joins bug bounty crew

Offers $500 minimum, a t-shirt and a high-five.

Online art and clothing store Etsy has opened a bug bounty program that would reward security researchers for reporting vulnerabilities found on the website.

The company would offer a minimum of $US500 ($A479) for bugs and more for “distinctly creative or severe security bugs”. It did not state a maximum payout.

It would accept web application vulnerabilities such as Cross Site Scripting and Cross-site request forgeries, authentication issues, remote code execution, and authorisation problems within, the site’s application programming interface, and its mobile application.

“This means please do not test for: spam, social engineering, or denial of service vulnerabilities,” it said in a statement.

“You also must not disrupt any service or compromise anyone’s data.”

It said bug bounties were “industry best practice”.

The bug bounty program follows the company's publication of responsible disclosure policies in April that eliminated fear of legal action in response to unauthorised security tests and encouraged researchers to report vulnerabilities.

Those who previously reported flaws will be paid under the new program.

Etsy is the latest in a string of companies including Google, Mozilla, Facebook and Samsung prepared to shell out for privately-disclosed vulnerabilities.

PayPal began offering a similar option in June after the company’s chief security officer Michael Barrett changed his tune on paying for vulnerabilities.

Google paid out $2 million in bounties at the Malaysian Hack in the Box conference, including $60,000 for researchers who pull off a "full Chrome exploit", which involves an attack that leverages only vulnerabilities in the Chrome browser. 

It paid $50,000 for a "partial Chrome exploit", which requires the use of bugs in third-party software.

But Microsoft considers bug bounties superfluous. Its security response centre was inundated with free vulnerability reports from researchers looking for fame, not fortune. Up to 80 percent of Microsoft vulnerabilities were privately and freely reported.

Redmond has instead chosen to pay up to $20,000 under its BlueHat competition to researchers who create defensive technologies which block a class of exploits.

Copyright © SC Magazine, Australia


Most Read Articles

Log In

|  Forgot your password?