Etsy handcrafts rewards for security bug hunters

Etsy has launched its own bug bounty program, believing that opening up its site to scrutiny is industry best practice.

Online handmade goods marketplace Etsy has taken an unexpected move to bolster security by introducing rewards to hackers who responsibly disclose bugs to the company.

Announced on the company blog, Etsy has launched a security bug bounty program that's similar to Google's .

"Our goal is to reward security researchers who follow responsible disclosure principles and proactively reach out to us if they've identified a vulnerability which would impact the safety of our marketplace or members. We believe that this is industry best practice," the company's blog post said.

Etsy will pay a minimum of US$500 to qualifying bounty hunters, which may be increased at the company's discretion where the bugs are "distinctly creative" or severe. In keeping with the company's spirit, it will also throw in a few handmade "thank-yous" such as an Etsy Security Team T-shirt.

Spam, social engineering and denial-of-service (DoS) vulnerabilities are not covered under the scope of the bounty program, but, in addition to the main Etsy site, its application programming interface (API) and mobile apps are open for scrutiny.

In April this year, the company launched a responsible disclosure page to provide information security researchers with a way to notify Etsy of bugs. Ten researchers stepped forward to voluntarily highlight bugs, but at the time Etsy did not have a reward scheme in place, and did not pay out a bounty. The company is now honouring those individuals by retroactively making payouts since launching the page.