Security Researchers

Professional Security Researchers

The information on this page is intended for professional security researchers who want to report potential security vulnerabilities to the eBay security team. If you are an eBay customer, and you want to report a concern about your account or about fraud or malware, please contact Customer Support or visit the Report a Concern page for more information. The eBay security team does not have access to customer information or the ability to resolve customer issues.

Reporting a Possible Security Vulnerability to eBay

At eBay, we take the security of our users very seriously. If you believe you have discovered a potential security vulnerability on any of these eBay domains, please help us fix it as quickly as possible by reporting your findings to us in accordance with our Guidelines for Responsible Disclosure. Publicly disclosing a vulnerability can put the entire community at risk, so we urge you to keep matters private until we are able to resolve the issue. eBay takes security very seriously and investigates all reported vulnerabilities.

Guidelines for responsible disclosure

At eBay, we recognize the important role that security researchers and our community play in keeping eBay and our customers secure. If you discover a vulnerability on ebay.com, please notify us using the following guidelines:

• Please share the security issue with us before making it public on message boards, mailing lists, or other forums.
• Please wait until we notify you that the vulnerability has been resolved before you disclose it to others. We take the security of our customers very seriously, and some vulnerabilities take longer than others to resolve.
• When submitting a vulnerability, please provide a clear, concise description of steps to reproduce the vulnerability.
• Please provide full details of the security issue, including Proof-of-Concept (POC) URL and the details of the system where the tests were conducted.
• To receive credit, you must be the first to report the vulnerability, and you must provide us a reasonable amount of time to remediate before you disclose the issue publicly.
• Your submission will be reviewed and validated by a member of the Product Security Incident Response Team. Providing clear and concise steps to reproduce the issue will help to expedite the response.
• Please do not engage in security research that involves:
  • Potential or actual damage to eBay users, systems, or applications.
  • Use of an exploit to view data without authorization that involves the corruption of data.
  • Requests of compensation for the reporting of security issues through any external marketplace for vulnerabilities, whether black-market or otherwise.