SECURITY ON ARTSY
If you encounter or identify any security issues with Artsy or any of websites, mobile applications, or services, you may contact our Engineering Team directly by email at [email protected]. Someone will be in touch, usually within 7 days.
Artsy Bug Bounty Program
We welcome security researchers that practice responsible disclosure and comply with our policies. Programs by Google, Facebook, Mozilla, and others have helped to create a strong bug-hunting community. The Artsy bug bounty program gives a tip of the hat to these researchers and rewards them for their efforts. In order to be eligible for a reward under our bug bounty program, you must comply with the terms outlined below.
- Do not access (or attempt to access) any user’s account or non-public data.
- Do not affect or harm other users (or their access to or use of our services).
- Do not perform any attack that could harm the reliability or integrity of our services or data. For example, DDoS/spam attacks are strictly prohibited.
- Do not publicly disclose a vulnerability before we have resolved it.
- Do not perform (or attempt) non-technical attacks, including spam, social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
What kinds of reports do not qualify?
The following is a non-exhaustive list of reports that do not qualify for a reward under our bug bounty program:
- Disclosure of public information or information that in our opinion does not present a significant risk.
- Disclosure of client identifiers and keys intended as a convenience for open-source contributors.
- Disclosure of credentials by other parties unaffiliated with Artsy.
- Bugs, such as XSS, that only affect legacy browser/plugin versions, bugs that require exceedingly unlikely user activity or interaction, or timing attacks that prove, for example, the existence of a user.
- Cookies shared between different *.artsy.net domains.
- Bugs that have already been reported to us (i.e. first-come, first-served), or bugs that we are otherwise already aware of.
- Issues with functionality that is in-development, experimental, or released in a "beta" stage.
- Scripting or other automation and brute forcing of intended functionality (all of which is strictly prohibited).
- Issues related to software or protocols not under our control.
What are some known issues that do not qualify?
The following are some issues that are already known to us and that are, in our opinion, an acceptable risk across our web, mobile and other properties. These issues do not qualify for a reward under our bug bounty program. We are mentioning them here to avoid duplicate or equivalent reports from other researchers. If you're not sure if an issue you're thinking about researching or reporting would be eligible for a reward under our bug bounty program, feel free to email us first.
- Username or email enumeration through login or password reset, known as #78330000.
- Mobile number enumeration, known as #84944560.
- Unverified email addresses and the ability to pretend to be someone else. We consider both individual names and email addresses to be user data and don't have the concept of verified accounts. This is tracked as #78152068.
- We've rolled out SSL + HSTS almost everywhere. A handful of services have not yet been updated, which is known as #80962976.
- Missing headers from this list and this list and similar, including X-Content-Type (#80120318), X-Content-Security-Policy (#77613710), X-XSS-Protection (#78287046), X-Download-Options (#81689852) and X-Permitted-Cross-Domain-Policies (#82478938).
- OPTIONS method enabled, we support CORS, tracked as #81577520.
- Allowing browsers to remember passwords via auto-complete, tracked as #81578134.
We may issue monetary rewards for reported issues that we decide to fix, with higher rewards for distinctly creative or severe security issues. Issues that we determine to be an insignificant or accepted risk will not be eligible for a reward. A typical reward for a single reported issue is U.S. $25. Some more severe issues can be $100. The maximum amount for any issue that the bug bounty program pays for single issue is of $250. If we determine that an issue you report does not qualify for a monetary reward, or if you're unable or unwilling to provide the personal information we require to issue a monetary reward, we may still send you a t-shirt or a tote, stickers, or some other token form of recognition to say thanks. Please note that only reports submitted by email to [email protected] may be eligible for a reward under our bug bounty program.
Checking the Status of Reports or Rewards
We are a small and very busy Engineering Team, and we receive a lot of email. Please do not send us multiple or repetitious email asking the same questions about submitted reports or the status of potential bounty payments. This will not accelerate the process, and may actually result in a slower response due to the extra burden on our inbox. We appreciate your patience.
A Few Legal Terms
Our bug bounty program is not a contest or competition. It is an experimental and discretionary rewards program. We may modify the terms of this program or terminate this program at any time without notice. All decisions as to the amount and type of rewards that may be issued, the method of payment (for monetary rewards), and whether or not any reported issue constitutes a significant risk or is eligible for a reward, will be determined at Artsy's complete discretion in each case. We only issue rewards to individuals, and may require a completed and signed U.S. form W-9 or W-8BEN as applicable. We typically issue monetary rewards by Paypal or check, and require your full name and appropriate contact information. You are responsible for any tax implications of any reward you receive and must comply with all tax laws applicable to any rewards that we may issue you. We cannot issue rewards to individuals who are on sanctions lists, or who are located in countries (e.g. Cuba, Iran, North Korea, Sudan or Syria) that are on sanctions lists. You must comply with all applicable local, state, national, and international laws, rules, and regulations in connection with your participation in this program. Your participation in this program must not disrupt or compromise any data that does not belong to you.
Between 2014 and 2018, we have resolved the following issues reported by a few dozen security researchers, and paid a few thousand dollars in total bounty.
- 2/7/2018: XSS via user-agent header on artsy.net.
- 1/31/2018: Leaked Slack credentials in Github.
- 1/31/2018: Open subdomain takeover.
- 6/28/2017: Public repo Github token leak.
- 6/28/2017: Links in password reset emails are not SSL.
- 6/28/2017: Heroku domain registration regression.
- 6/28/2017: Incorrect S3 bucket permissions.
- 5/26/2017: Incorrect S3 bucket permissions.
- 4/5/2017: Open-redirect on artsy.net.
- 4/5/2017: CSRF in Twitter auth.
- 9/6/2016: IFrame click-jacking in Writer.
- 9/6/2016: XSS in checkout and messaging flows.
- 9/6/2016: XSS in user preferences.
- 6/20/2016: Open-redirect on developers.artsy.net.
- 6/2/2016: Successful login clears password reset token.
- 5/20/2016: iphone.artsy.net parameter pollution.
- 5/20/2016: Intercom session not cleared on writer app.
- 4/27/2016: XSS in error field.
- 2/8/2016: Open redirect on api.artsy.net.
- 2/7/2016: Profile protections bypassed.
- 12/22/2015: Twitter OAuth has CSRF.
- 12/22/2015: Facebook OAuth account linking has CSRF.
- 12/22/2015: XSS in Artsy Writer titles.
- 10/19/2015: Fixed access control for featuring news articles.
- 10/20/2015: XSS in Artsy writer.
- 10/15/2015: Enforced ZIP cc check when placing bids.
- 10/13/2015: CSRF on login form
- 10/12/2015: Enforced SSL in fusion.artsy.net.
- 9/28/2015: Added hardfail SPF records to non-essential domains.
- 8/19/2015: Profile cache not affecting profile visibility immediately.
- 8/11/2015: Leaking a third-party service auth key client-side.
- 8/11/2015: XSS on m.artsy.net.
- 7/22/2015: Made SPF records hardfail.
- 4/9/2015: Updated SSL certificates, now SHA-2.
- 4/7/2015: Facebook OAuth now has CSRF.
- 3/17/2015: XSS in cms.artsy.net.
- 3/12/2015: Open-redirect on https://www.artsy.net and https://developers.artsy.net with malformed protocol.
- 3/5/2015: Open-redirect on https://developers.artsy.net.
- 2/5/2015: Clickjacking on a an unused ads.artsy.net.
- 12/18/2014: Password change rate not limited for logged in users.
- 12/16/2014: Logout via IMG tag.
- 12/8/2014: Unsafe HTML rendered via greeting in e-mails.
- 12/4/2014: Tabnabbing in profile links.
- 11/14/2014: Open-redirect with malformed URLs in api.artsy.net.
- 11/7/2014: Lack of CSRF in linking social accounts.
- 11/7/2014: Browser may cache private data on https://developers.artsy.net.
- 10/22/2014: XSS in login.
- 10/15/2014: Disabled SSLv3, Poodle attack.
- 10/14/2014: Service takeover via Heroku name grab.
- 10/8/2014: Leaking referrer in password reset.
- 10/3/2014: Rolled out HSTS.
- 10/3/2014: Marked session cookies secure.
- 10/3/2014: Reset password token not cleared on password change.
- 9/29/2014: XSS in inquiry emails.
- 9/17/2014: Session reuse after logout.
- 9/11/2014: Message rate abuse for iPhone app SMS invites.
- 9/11/2014: Password reset emails lack resend threshold.
- 9/10/2014: Reflected XSS in api.artsy.net.
- 9/9/2014: XSS in flash in artsy.net.
- 9/5/2014: Session fixation vulnerability.
- 9/2/2014: Back button may show cached personal data after logout.
- 8/29/2014: XSS in user signup.
- 8/29/2014: Password reset token vulnerability.
- 8/24/2014: XSS in user bio.
- 8/24/2014: XSS in user onboarding.
- 8/22/2014: XSS in user posts.
- 8/21/2014: Open-redirect in OAuth.
- 8/21/2014: Open-redirect in login.
- 8/21/2014: Password brute-force vulnerability.
- 8/21/2014: Clickjacking vulnerability.
We'd like to thank the following security researchers who have reported issues that we have since resolved.