SECURITY ON ARTSY
If you encounter or identify any security issues with Artsy or any of our websites, mobile applications, or services, please submit the issue via the bounty submission form. Someone from our team will be in touch as soon as possible.
Artsy Bug Bounty Program
We welcome security researchers that practice responsible disclosure and comply with our policies. Programs by Google, Facebook, Mozilla, and others have helped to create a strong bug-hunting community. The Artsy bug bounty program gives a tip of the hat to these researchers and rewards them for their efforts. To be eligible for a reward under our bug bounty program, you must comply with the terms outlined below.
- Do not access (or attempt to access) any user’s account or non-public data.
- Do not affect or harm other users (or their access to or use of our services).
- Do not perform any attack that could harm the reliability or integrity of our services or data. For example, DDoS/spam attacks are strictly prohibited.
- Do not publicly disclose a vulnerability before we have resolved it.
- Do not perform (or attempt) non-technical attacks, including spam, social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
What kinds of reports do not qualify?
The following is a non-exhaustive list of reports that do not qualify for a reward under our bug bounty program:
- Issues related to software or protocols not under our control, such as domains or applications that resemble Artsy, or use one of our APIs, but are not managed by Artsy.
- Issues with functionality that are in development, experimental, or released in a "beta" stage. This includes our staging and review applications.
- Disclosure of public information or information that in our opinion does not present a significant risk.
- Disclosure of client identifiers and keys intended as a convenience for open-source contributors.
- Disclosure of credentials by other parties unaffiliated with Artsy.
- Bugs, such as XSS, that only affect legacy browser/plugin versions, bugs that require exceedingly unlikely user activity or interaction, or timing attacks that prove, for example, the existence of a user.
- Cookies shared between different *.artsy.net domains.
- Bugs that have already been reported to us (i.e. first-come, first-served), or bugs that we are otherwise already aware of.
- Issues related to partners.artsy.net.
- Scripting or other automation and brute-forcing of intended functionality (all of which is strictly prohibited).
What are some known issues that do not qualify?
The following are some issues that are already known to us and that are, in our opinion, an acceptable risk across our web, mobile, and other properties. These issues do not qualify for a reward under our bug bounty program. We are mentioning them here to avoid duplicate or equivalent reports from other researchers. If you're not sure if an issue you're thinking about researching or reporting would be eligible for a reward under our bug bounty program, feel free to email us first.
- Username or email enumeration, such as through signup, login, or password reset, known as #78330000.
- Mobile number enumeration, known as #84944560.
- Unverified email addresses and the ability to pretend to be someone else. We consider both individual names and email addresses to be user data and don't have the concept of verified accounts. This is tracked as #78152068.
- We've rolled out SSL + HSTS almost everywhere. A handful of services have not yet been updated, which is known as #80962976.
- Missing headers from this list and this list and similar, including X-Content-Type (#80120318), X-Content-Security-Policy (#77613710), X-XSS-Protection (#78287046), X-Download-Options (#81689852) and X-Permitted-Cross-Domain-Policies (#82478938).
- OPTIONS method enabled, we support CORS, tracked as #81577520.
- Allowing browsers to remember passwords via auto-complete, tracked as #81578134.
- Lack of certain email authentication protocols (e.g. DMARC) or lack of strict implementation of these protocols (e.g. DMARC policy). These protocols are not uniformly respected and can interfere with common email configurations like forwards. We evaluated these trade-offs and found our current configuration to be acceptable.
- Reuse of session cookies is possible prior to log-out or certain account updates, known as #GF41.
- A user account's email address changing does not log the user out of existing sessions, known as #GF71. Please see issue #78152068 for the reason that this issue does not qualify.
- Existence of obsolete links on our sites, known as #GF74. Obsolete links will eventually be noticed and corrected if necessary.
- Keys (such as for mapping functionality) that are intentionally exposed in site HTML, known as #GF38.
We may issue monetary rewards for reported issues that we decide to fix, with higher rewards for distinctly creative or severe security issues. Issues that we determine to be an insignificant or accepted risk will not be eligible for a reward. The reward amount will be based on the severity of the issue and range from $25 to $500.
Please note that only reports submitted bounty submission form will be eligible for a reward under our bug bounty program.
Checking the Status of Reports or Rewards
We are a small and very busy Engineering Team, and we receive a lot of emails. Please do not send us multiple or repetitious emails asking the same questions about submitted reports or the status of potential bounty payments. This will not accelerate the process and may result in a slower response due to the extra burden on our inbox. We appreciate your patience.
Also, please be aware that repeat submission of issues on the unqualified list may result in you not receiving a response.
A Few Legal Terms
Our bug bounty program is not a contest or competition. It is an experimental and discretionary rewards program. We may modify the terms of this program or terminate this program at any time without notice. All decisions as to the amount and type of rewards that may be issued, the method of payment (for monetary rewards), and whether or not any reported issue constitutes a significant risk or is eligible for a reward, will be determined at Artsy's complete discretion in each case. We only issue rewards to individuals and may require a completed and signed U.S. form W-9 or W-8BEN as applicable. We typically issue monetary rewards by Paypal or check, and require your full name and appropriate contact information. You are responsible for any tax implications of any reward you receive and must comply with all tax laws applicable to any rewards that we may issue you. We cannot issue rewards to individuals who are on sanctions lists, or who are located in countries (e.g. Cuba, Iran, North Korea, Sudan, or Syria) that are on sanctions lists. You must comply with all applicable local, state, national, and international laws, rules, and regulations in connection with your participation in this program. Your participation in this program must not disrupt or compromise any data that does not belong to you.
Recently Fixed Issues
The following issues have been reported by security researchers and received a bounty reward.
- 2/7/2018: XSS via user-agent header on artsy.net.
- 1/31/2018: Leaked Slack credentials in Github.
- 1/31/2018: Open subdomain takeover.
- 6/28/2017: Public repo Github token leak.
- 6/28/2017: Links in password reset emails are not SSL.
- 6/28/2017: Heroku domain registration regression.
- 6/28/2017: Incorrect S3 bucket permissions.
- 5/26/2017: Incorrect S3 bucket permissions.
- 4/5/2017: Open-redirect on artsy.net.
- 4/5/2017: CSRF in Twitter auth.
- 9/6/2016: IFrame click-jacking in Writer.
- 9/6/2016: XSS in checkout and messaging flows.
- 9/6/2016: XSS in user preferences.
- 6/20/2016: Open-redirect on developers.artsy.net.
- 6/2/2016: Successful login clears password reset token.
- 5/20/2016: iphone.artsy.net parameter pollution.
- 5/20/2016: Intercom session not cleared on writer app.
- 4/27/2016: XSS in error field.
- 2/8/2016: Open redirect on api.artsy.net.
- 2/7/2016: Profile protections bypassed.
- 12/22/2015: Twitter OAuth has CSRF.
- 12/22/2015: Facebook OAuth account linking has CSRF.
- 12/22/2015: XSS in Artsy Writer titles.
- 10/19/2015: Fixed access control for featuring news articles.
- 10/20/2015: XSS in Artsy writer.
- 10/15/2015: Enforced ZIP cc check when placing bids.
- 10/13/2015: CSRF on login form
- 10/12/2015: Enforced SSL in fusion.artsy.net.
- 9/28/2015: Added hardfail SPF records to non-essential domains.
- 8/19/2015: Profile cache not affecting profile visibility immediately.
- 8/11/2015: Leaking a third-party service auth key client-side.
- 8/11/2015: XSS on m.artsy.net.
- 7/22/2015: Made SPF records hardfail.
- 4/9/2015: Updated SSL certificates, now SHA-2.
- 4/7/2015: Facebook OAuth now has CSRF.
- 3/17/2015: XSS in cms.artsy.net.
- 3/12/2015: Open-redirect on https://www.artsy.net and https://developers.artsy.net with malformed protocol.
- 3/5/2015: Open-redirect on https://developers.artsy.net.
- 2/5/2015: Clickjacking on a an unused ads.artsy.net.
- 12/18/2014: Password change rate not limited for logged in users.
- 12/16/2014: Logout via IMG tag.
- 12/8/2014: Unsafe HTML rendered via greeting in e-mails.
- 12/4/2014: Tabnabbing in profile links.
- 11/14/2014: Open-redirect with malformed URLs in api.artsy.net.
- 11/7/2014: Lack of CSRF in linking social accounts.
- 11/7/2014: Browser may cache private data on https://developers.artsy.net.
- 10/22/2014: XSS in login.
- 10/15/2014: Disabled SSLv3, Poodle attack.
- 10/14/2014: Service takeover via Heroku name grab.
- 10/8/2014: Leaking referrer in password reset.
- 10/3/2014: Rolled out HSTS.
- 10/3/2014: Marked session cookies secure.
- 10/3/2014: Reset password token not cleared on password change.
- 9/29/2014: XSS in inquiry emails.
- 9/17/2014: Session reuse after logout.
- 9/11/2014: Message rate abuse for iPhone app SMS invites.
- 9/11/2014: Password reset emails lack resend threshold.
- 9/10/2014: Reflected XSS in api.artsy.net.
- 9/9/2014: XSS in flash in artsy.net.
- 9/5/2014: Session fixation vulnerability.
- 9/2/2014: Back button may show cached personal data after logout.
- 8/29/2014: XSS in user signup.
- 8/29/2014: Password reset token vulnerability.
- 8/24/2014: XSS in user bio.
- 8/24/2014: XSS in user onboarding.
- 8/22/2014: XSS in user posts.
- 8/21/2014: Open-redirect in OAuth.
- 8/21/2014: Open-redirect in login.
- 8/21/2014: Password brute-force vulnerability.
- 8/21/2014: Clickjacking vulnerability.
We'd like to thank the following security researchers who have reported issues that we have since resolved.
- Abhishek Mahato
- Shubham Sahu
- கோபிநாத் மதுரை (Gopinath Madurai)
- Vikas Anil Sharma
- Manikandan Rajakumar
- Frans Rosén
- Juan Broullón Sampedro
- Sergei Markov
- Mathias Karlsson
- Huzaifa Jawaid
- Jigar Thakkar (Akhani)
- Manjesh S
- Evan Ricafort
- Daksh Patel
- Mahmoud Reda Abdelmonem
- Hammad Shamsi
- Mar Adrian Belen
- Bypass Security
- Mohammed Fayez Albanna
- Muhammad Talha Khan
- Pranav Hivarekar
- Abdul Haq Khokhar
- Tushar D. Parab - BaPpA_m0rYa
- Sandeep Singh
- Suraj Mulik
- Apoorv Joshi
- Mohamed A. Baset
- Karen Nikoghosyan
- Sandeep Sudhagani
- Koutrouss Naddara
- Milan A Solanki
- Basava Gowda
- Shailesh Suthar
- Ch. Chakradhar
- Norwin Ronda Boniao
- Leandro Chaves
- Joel Melegrito
- Jay Patel
- Yasin Soliman
- Vinoth Kumar
- Fredrik Nordberg Almroth
- Mohammed Fayez Albanna
- Mayur Udiniya