Bug Bounty Program
For Professional Researchers: Bug Bounty Program
Our team of dedicated security professionals works vigilantly to help keep customer information secure. We recognize the important role that security researchers and our user community play in also helping to keep the eBay family of companies and its customers secure. If you discover a site or product vulnerability please notify us using the guidelines below.
Please note that your participation in the Bug Bounty Program is voluntary and subject to the terms and conditions set forth on this page (“Program Terms”). By submitting a site or product vulnerability to eBay Inc. or its family of subsidiary companies (“eBay”) you acknowledge that you have read and agreed to these Program Terms.
These Program Terms supplement the terms of the eBay User Agreement, the PayPal User Agreement, and any other agreement(s) in which you have entered with eBay Inc. and its family of subsidiary companies (collectively the “User Agreements”). The terms of those User Agreements will apply to your use of, and participation in, the Bug Bounty Program as if fully set forth herein. If there is any inconsistency exists between the terms of the User Agreements and these Program Terms, these Program Terms will control, but only with regard to the Bug Bounty Program.
You can jump to particular sections of these Program Terms by using the following links:
Responsible Disclosure Policy
To encourage responsible disclosures, eBay commits that, if we conclude, in our sole discretion, that a disclosure respects and meets all the guidelines of these Program Terms and the User Agreements, eBay will not bring a private action or refer a matter for public inquiry.
To participate in the Bug Bounty Program, you must have a verified PayPal account in good standing in order to register for the Bug Bounty Program and be eligible to receive Bounty Payments (described further below). Alternatively, if you do not have a PayPal account, you may elect to submit reports via email, but you won’t be eligible for a Bounty Payment. If you do not currently have a PayPal account, you can sign up for one here.
To be eligible for the Bug Bounty Program, you must not:
- Be a resident of, or make your Submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan and Syria);
- Be employed by eBay, Inc. or its subsidiaries
- Be an immediate family member of a person employed by eBay, Inc. or its subsidiaries; or
- Be less than 18 years of age.
If eBay discovers that you do not meet any of the criteria above, eBay will remove you from the Bug Bounty Program and disqualify you from receiving any bounty payments. Any submissions you make to eBay, whether via your Bug Bounty Program account or via email shall be considered “Submission(s)” for purposes of these Program Terms.
Bug Submission Requirements and Guidelines
If you are a security researcher who has discovered a site or product vulnerability on a qualifying domain and would like to participate in the Bug Bounty Program, you can send us a submission by logging into and participating in the Bug Bounty Program located at PayPal
In researching vulnerabilities on eBay’s sites, you may not engage in testing that (i) results in a degradation of eBay systems, (ii) destroys eBay or customer data, or (iii) may impact eBay customers, such as denial of service, social engineering or spam.
You may not publicly disclose your findings or the contents of your Submission in any way without eBay’s prior written approval.
Failure to follow these guidelines will result in immediate disqualification from the Bug Bounty Program and ineligibility for receiving any bounty payments.
Ownership of Submissions
As between eBay and you, as a condition of participation in the eBay Bug Bounty program, you hereby grant eBay, its subsidiaries, affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferrable, sublicensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to eBay in connection therewith, for any purpose. You should not send us any Submission that you do not wish to license to us.
You hereby represent and warrant that the Submission is original to you and you own all right, title and interest in and to the Submission. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure of the Submission to eBay. In no event shall eBay be precluded from discussing, reviewing, developing for itself, having developed, or developing for third parties, materials which are competitive with those set forth in the Submission irrespective of their similarity to the information in the Submission, so long as eBay complies with the terms of participation stated herein.
You may be eligible to receive a monetary reward, or “bounty,” if: (i) you are the first person to submit a site or product vulnerability; (ii) that vulnerability is determined to by a valid security issue by eBay’s security team; and (iii) you have complied with all Program Terms.
Bounty payments, if any, will be determined by eBay, in eBay’s sole discretion. In no event shall eBay be obligated to pay you a bounty for any Submission. All bounty payments shall be considered gratuitous.
In the event eBay elects to pay you a bounty, eBay may make a partial payment when the vulnerability is first verified by eBay and then an additional payment once the vulnerability has been fixed. The format and timing of all bounty payments shall be determined in eBay’s sole discretion.
All bounty payments must be made to a verified PayPal Account in good standing. If you do not have a verified PayPal Account in good standing at the time of payment, you will not be eligible to receive a bounty (except in extraordinary circumstances agreed to by eBay via email from the Bug Bounty Program team).
All bounty payments will be made in United States dollars (USD).
Wall of Fame
In the event you breach any of these Program Terms or the terms and conditions of the eBay Agreements, eBay may immediately terminate your participation in the Bug Bounty Program and disqualify you from receiving any bounty payments.
Any information you receive or collect about eBay or any eBay user through the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the eBay sites, without eBay’s prior written consent.
In addition to any indemnification obligations you may have under the eBay Agreements, you agree to defend, indemnify and hold eBay, its subsidiaries, affiliates and the officers, directors, agents, joint ventures, employees and suppliers of eBay, its subsidiaries, or our affiliates, harmless from any claim or demand (including attorneys’ fees) made or incurred by any third party due to or arising out of your Submissions, your breach of these Program Terms and/or your improper use of the Bug Bounty Program.
Changes to Program Terms
The Bug Bounty Program, including its policies, is subject to change or cancellation by eBay at any time, without notice. As such, eBay may amend these Program Terms and/or its policies at any time by posting a revised version on our website. By continuing to participate in the Bug Bounty Program after eBay posts any such changes, you accept the Program Terms, as modified.
eBay.com submissions are currently not in scope for this Bug Bounty Program