Is etsy com legit or a scam

Report security vulnerabilities responsibly

If you are an Etsy member and a fraudulent activity, Account disputes or Spam report, please contact Etsy's support team by clicking the link at the bottom of this page.

To report a fake or Phishing- Email, please contact [email protected]

For professional security researchers

What is a bug?

Web application vulnerabilities such as XSS, CSRF, SQLi, authentication issues, remote code execution, and authorization issues are considered bugs. The vulnerability must be in the main website, the API, or Etsy's official mobile app.

Please note that systems over which we have no control (such as links / redirects to third party websites or CDNs) are excluded from our bounty program. You must be the first person to responsibly report the bug to us, you must discover the vulnerability yourself, and you must adhere to a responsible disclosure policy by giving us a reasonable amount of time to resolve the issue before providing any information to the Go public.

What is not considered a bug?

Although we review each report on a case-by-case basis, the following are some examples of problems that typically do not meet the requirements of our bounty program:

  • Best practices. We do not accept messages that are merely suggestions for configuration / guidelines.

  • Results from automated tools without a proof-of-concept (proof of concept). Results that are copied from websites such as or Vulnerability Scanners without proof-of-concept usually contain a large number of false positives.

  • Security messages that are not related to If you submit a report for a domain that is outside the scope of our bounty program, we will ignore it.

  • Defects that occur specifically in outdated browsers / plugins. You can find out more about outdated browsers here.

  • Logout CSRF (Cross-Site-Request-Forgery). For more information on this issue, see the blog posts on the topic by Chris Evans and Michal Zalewski.

  • Missing secure flag for cookies with non-sensitive data. To protect session cookies with sensitive data, we offer SSL as a mechanism against man-in-the-middle (MITM) attacks (via HSTS) across the entire website. You can find more information on this topic here:

  • Missing HTTPOnly flag for cookies with non-sensitive data. We have set the HTTPOnly flag on cookies that we believe contain sensitive data, and we do not see the absence of HTTPOnly on cookies as a security flaw.

  • Member name enumeration through login or password reset. Member name enumeration can be a security flaw in a number of web applications, but Etsy is a public marketplace so member names can be deliberately enumerated in a variety of ways, such as articles, forum posts, shops, etc.

  • CSRF issue submitted with a proof of concept that contains a nonce. Please review your submission carefully to ensure that you are not sending us a proof of concept that contains a nonce.

Things to look out for when testing

  • Don't test for issues like spam, social engineering, and denial of service.

  • Due to the special nature of our marketplace, please do not use automated scanners without strongly limiting the scope. Running automated scanners across the site can spam on forums, teams, and blog comments. Automated scanners can also send spam messages and purchase items from legitimate Etsy stores. It should also be noted that we use automated blocking mechanisms to intercept scanners. These will prevent you from accessing the website or sending us bounties using the bounty submission form for a full day. These actions disrupt the use of the marketplace by our members and do not correspond to the purpose of our bounty program.

  • If you want to test messages on Etsy, please use our dedicated test accounts and do not send messages to legitimate members of the site. If you are testing the item listing process, you must remove all items immediately after completing the test.

  • If you want to test items or other shop functions, put your shop in developer mode:

  • We reserve the right to deactivate and / or suspend your trial accounts if we discover that you are violating these guidelines.

  • Please do not create an excessive number of accounts for testing purposes and limit your test transactions to small amounts (less than 1 USD).

Review of bounty reports

The Etsy security team reviews every bounty report as it is received. We often get multiple messages for issues that need to be fixed, so we'll first see if your issue has already been reported.

Unless the message is a duplicate, issues that are not immediately weeded out based on the criteria above (such as scope, issues not applicable to the program, etc.) are tested to see if the issue can be reproduced. If it cannot be reproduced, we will email you for further information.

We then decide whether the message is actually a security issue that needs to be fixed, as opposed to a bug that prevents it from working properly.

If your report meets the criteria outlined above, we will email you to confirm that we accept your bounty and we will start resolving the problem.

The bounty

As a reward for potential security vulnerabilities, your name will be published on our bug bounty page and you will receive an Etsy Security Team T-shirt. Financial rewards may be paid, at our sole discretion, for particularly creative or serious errors. If we meet you at a security conference, we'll give you an appreciative pat on the back and tell everyone how amazing you are.

Report a vulnerability

Please contact us using this form:

Please note that fraudulent activity, Account disputes or Spam are not part of the bug bounty program and should be reported here. Please report these types of issues to Etsy's support team.

Please do not contact Etsy staff directly about your bounty submission. We reserve the right to refuse or block membership in the program at any time and without giving a reason.

Taxes and Restrictions

The following persons are excluded from participation in the program: minors, persons listed on sanctions lists or persons in countries that are on sanction lists. You are responsible for any tax implications or additional restrictions depending on your country and local laws.

We reserve the right to terminate this program at any time and the decision to pay an award is at our sole discretion. You must not violate any applicable laws. You are also not allowed to interrupt a service or compromise another person's data.

We very much appreciate the contributions of security researchers to the security of our community. Here you will find a list of the people who responsibly alerted us to security vulnerabilities in the past.