Etsy handcrafts rewards for security bug hunters

Etsy handcrafts rewards for security bug hunters

Summary: Etsy has launched its own bug bounty program, believing that opening up its site to scrutiny is industry best practice.

SHARE:
TOPICS: Security, Google
0

Online handmade goods marketplace Etsy has taken an unexpected move to bolster security by introducing rewards to hackers who responsibly disclose bugs to the company.

Announced on the company blog, Etsy has launched a security bug bounty program that's similar to Google's.

"Our goal is to reward security researchers who follow responsible disclosure principles and proactively reach out to us if they've identified a vulnerability which would impact the safety of our marketplace or members. We believe that this is industry best practice," the company's blog post said.

Etsy will pay a minimum of US$500 to qualifying bounty hunters, which may be increased at the company's discretion where the bugs are "distinctly creative" or severe. In keeping with the company's spirit, it will also throw in a few handmade "thank-yous" such as an Etsy Security Team T-shirt.

Spam, social engineering and denial-of-service (DoS) vulnerabilities are not covered under the scope of the bounty program, but, in addition to the main Etsy site, its application programming interface (API) and mobile apps are open for scrutiny.

In April this year, the company launched a responsible disclosure page to provide information security researchers with a way to notify Etsy of bugs. Ten researchers stepped forward to voluntarily highlight bugs, but at the time Etsy did not have a reward scheme in place, and did not pay out a bounty. The company is now honouring those individuals by retroactively making payouts since launching the page.

Topics: Security, Google

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion