Artsy values your privacy, and it is our goal to maintain the security of our platform. This page describes some steps that we are taking to address potential security issues and to help protect Artsy, our users, and their data. For more information about how we may collect, store, and use data from our users, please see our Privacy Policy.
If you encounter or identify any security issues with Artsy or any of our websites, mobile applications, or services, please submit the issue via the bounty submission form. Someone from our team will be in touch as soon as possible.
We welcome security researchers that practice responsible disclosure and comply with our policies. Programs by Google, Facebook, Mozilla, and others have helped to create a strong bug-hunting community. The Artsy bug bounty program gives a tip of the hat to these researchers and rewards them for their efforts. To be eligible for a reward under our bug bounty program, you must comply with the terms outlined below.
In addition to complying with our Terms of Use and any other applicable terms and conditions, you must also follow these basic rules when participating in our bug bounty program:
The following is a non-exhaustive list of reports that do not qualify for a reward under our bug bounty program:
Issues related to software or protocols not under our control, such as domains or applications that resemble Artsy, or use one of our APIs, but are not managed by Artsy.
Issues with functionality that are in development, experimental, or released in a "beta" stage. This includes our staging and review applications.
Disclosure of public information or information that in our opinion does not present a significant risk.
Disclosure of client identifiers and keys intended as a convenience for open-source contributors.
Disclosure of credentials by other parties unaffiliated with Artsy.
Bugs, such as XSS, that only affect legacy browser/plugin versions, bugs that require exceedingly unlikely user activity or interaction, or timing attacks that prove, for example, the existence of a user.
Cookies shared between different *.artsy.net domains.
Bugs that have already been reported to us (i.e. first-come, first-served), or bugs that we are otherwise already aware of.
Scripting or other automation and brute-forcing of intended functionality (all of which is strictly prohibited).
The following are some issues that are already known to us and that are, in our opinion, an acceptable risk across our web, mobile, and other properties. These issues do not qualify for a reward under our bug bounty program. We are mentioning them here to avoid duplicate or equivalent reports from other researchers. If you're not sure if an issue you're thinking about researching or reporting would be eligible for a reward under our bug bounty program, feel free to email us first.
We may issue monetary rewards for reported issues that we decide to fix, with higher rewards for distinctly creative or severe security issues. Issues that we determine to be an insignificant or accepted risk will not be eligible for a reward. The reward amount will be based on the severity of the issue and range from $25 to $500.
If we determine that an issue you report does not qualify for a monetary reward, or if you're unable or unwilling to provide the personal information we require to issue a monetary reward, we may still send you a t-shirt or a tote, stickers, or some other token form of recognition to say thanks. Please note that only reports submitted bounty submission form will be eligible for a reward under our bug bounty program.
We are a small and very busy Engineering Team, and we receive a lot of emails. Please do not send us multiple or repetitious emails asking the same questions about submitted reports or the status of potential bounty payments. This will not accelerate the process and may result in a slower response due to the extra burden on our inbox. We appreciate your patience.
Our bug bounty program is not a contest or competition. It is an experimental and discretionary rewards program. We may modify the terms of this program or terminate this program at any time without notice. All decisions as to the amount and type of rewards that may be issued, the method of payment (for monetary rewards), and whether or not any reported issue constitutes a significant risk or is eligible for a reward, will be determined at Artsy's complete discretion in each case. We only issue rewards to individuals and may require a completed and signed U.S. form W-9 or W-8BEN as applicable. We typically issue monetary rewards by Paypal or check, and require your full name and appropriate contact information. You are responsible for any tax implications of any reward you receive and must comply with all tax laws applicable to any rewards that we may issue you. We cannot issue rewards to individuals who are on sanctions lists, or who are located in countries (e.g. Cuba, Iran, North Korea, Sudan, or Syria) that are on sanctions lists. You must comply with all applicable local, state, national, and international laws, rules, and regulations in connection with your participation in this program. Your participation in this program must not disrupt or compromise any data that does not belong to you.
The following issues have been reported by security researchers and received a bounty reward.
We'd like to thank the following security researchers who have reported issues that we have since resolved.