Artsy values your privacy, and it is our goal to maintain the security of our platform. This page describes some steps that we are taking to address potential security issues, and to help protect Artsy, our users, and their data. For more information about how we may collect, store, and use data from our users, please see our Privacy Policy.

Reporting Issues

If you encounter or identify any security issues with Artsy or any of websites, mobile applications, or services, you may contact our Engineering Team directly by email at [email protected]. Someone will be in touch, usually within 7 days.

Artsy Bug Bounty Program

We welcome security researchers that practice responsible disclosure and comply with our policies. Programs by Google, Facebook, Mozilla, and others have helped to create a strong bug-hunting community. The Artsy bug bounty program gives a tip of the hat to these researchers and rewards them for their efforts. In order to be eligible for a reward under our bug bounty program, you must comply with the terms outlined below.

Basic Rules

In addition to complying with our Terms of Use and any other applicable terms and conditions, you must also follow these basic rules when participating in our bug bounty program:

What kinds of reports do not qualify?

The following is a non-exhaustive list of reports that do not qualify for a reward under our bug bounty program:

What are some known issues that do not qualify?

The following are some issues that are already known to us and that are, in our opinion, an acceptable risk across our web, mobile and other properties. These issues do not qualify for a reward under our bug bounty program. We are mentioning them here to avoid duplicate or equivalent reports from other researchers. If you're not sure if an issue you're thinking about researching or reporting would be eligible for a reward under our bug bounty program, feel free to email us first.


We may issue monetary rewards for reported issues that we decide to fix, with higher rewards for distinctly creative or severe security issues. Issues that we determine to be an insignificant or accepted risk will not be eligible for a reward. A typical reward for a single reported issue is U.S. $25. Some more severe issues can be $100. The maximum amount for any issue that the bug bounty program pays for single issue is of $250. If we determine that an issue you report does not qualify for a monetary reward, or if you're unable or unwilling to provide the personal information we require to issue a monetary reward, we may still send you a t-shirt or a tote, stickers, or some other token form of recognition to say thanks. Please note that only reports submitted by email to [email protected] may be eligible for a reward under our bug bounty program.

Checking the Status of Reports or Rewards

We are a small and very busy Engineering Team, and we receive a lot of email. Please do not send us multiple or repetitious email asking the same questions about submitted reports or the status of potential bounty payments. This will not accelerate the process, and may actually result in a slower response due to the extra burden on our inbox. We appreciate your patience.

Our bug bounty program is not a contest or competition. It is an experimental and discretionary rewards program. We may modify the terms of this program or terminate this program at any time without notice. All decisions as to the amount and type of rewards that may be issued, the method of payment (for monetary rewards), and whether or not any reported issue constitutes a significant risk or is eligible for a reward, will be determined at Artsy's complete discretion in each case. We only issue rewards to individuals, and may require a completed and signed U.S. form W-9 or W-8BEN as applicable. We typically issue monetary rewards by Paypal or check, and require your full name and appropriate contact information. You are responsible for any tax implications of any reward you receive and must comply with all tax laws applicable to any rewards that we may issue you. We cannot issue rewards to individuals who are on sanctions lists, or who are located in countries (e.g. Cuba, Iran, North Korea, Sudan or Syria) that are on sanctions lists. You must comply with all applicable local, state, national, and international laws, rules, and regulations in connection with your participation in this program. Your participation in this program must not disrupt or compromise any data that does not belong to you.

Fixed Issues

Between 2014 and 2018, we have resolved the following issues reported by a few dozen security researchers, and paid a few thousand dollars in total bounty.


We'd like to thank the following security researchers who have reported issues that we have since resolved.