Artsy

We welcome security researchers that practice responsible disclosure and comply with our policies. Programs by Google, Facebook, Mozilla, and others have helped to create a strong bug-hunting community. The Artsy bug bounty program gives a tip of the hat to these researchers and rewards them for their efforts.

In order to be eligible for a reward under our bug bounty program, you must comply with the terms outlined below.

BASIC RULES

In addition to complying with our Terms of Use and any other applicable terms and conditions, you must also follow these basic rules when participating in our bug bounty program:

• Do not access (or attempt to access) any user’s account or non-public data.
• Do not affect or harm other users (or their access to or use of our services).
• Do not perform any attack that could harm the reliability or integrity of our services or data. For example, DDoS/spam attacks are strictly prohibited.
• Do not publicly disclose a vulnerability before we have resolved it.
• Do not perform (or attempt) non-technical attacks, including spam, social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

WHAT KINDS OF REPORTS DO NOT QUALIFY?

The following is a non-exhaustive list of reports that do not qualify for a reward under our bug bounty program:

• Disclosure of public information or information that in our opinion does not present a significant risk.
• Bugs, such as XSS, that only affect legacy browser/plugin versions, bugs that require exceedingly unlikely user activity or interaction, or timing attacks that prove, for example, the existence of a user.
• Cookies shared between different *.artsy.net domains.
• Bugs that have already been reported to us (i.e. first-come, first-served), or bugs that we are otherwise already aware of.
• Scripting or other automation and brute forcing of intended functionality (all of which is strictly prohibited).
• Issues related to software or protocols not under our control.

REWARDS

We may issue monetary rewards for reported issues that we decide to fix, with higher rewards for distinctly creative or severe security issues. Issues that we determine to be an insignificant or accepted risk will not be eligible for a reward. A typical reward for a single reported issue is U.S. $25. Some more severe issues can be $100. The maximum amount for any issue that the bug bounty program pays for single issue is of $250. If we determine that an issue you report does not qualify for a monetary reward, or if you're unable or unwilling to provide the personal information we require to issue a monetary reward, we may still send you a t-shirt or a tote, stickers, or some other token form of recognition to say thanks. Please note that only reports submitted by email to [email protected] may be eligible for a reward under our bug bounty program.