• $200 – $4,500 per vulnerability
  • Safe harbor
  • Managed by Bugcrowd

Program stats

91 vulnerabilities rewarded

Validation within 1 day
75% of submissions are accepted or rejected within 1 day

$601 average payout (last 3 months)

Latest hall of famers

Recently joined this program

1038 total


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

At SoundCloud, we take the safety of our users very seriously. If you believe you have discovered a possible security vulnerability on our app(s), API(s), platform, or in any other SoundCloud service, please help us to fix it as quickly as possible by submitting your findings in accordance with this policy.


For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Please ensure to kindly include a video recording with your submission, showing the steps taken to find the vulnerability.

Reward range

Last updated

Technical severity Reward range
p1 Critical $4,100 - $4,500
p2 Severe $1,500 - $1,750
p3 Moderate $600 - $850
p4 Low $200 - $250
P5 submissions do not receive any rewards for this program.


In scope

Target name Type Tags Website Testing
  • Website Testing
  • AWS
  • ReactJS
  • jQuery
  • Handlebars
  • Backbone
  • nginx
  • PHP
  • Amazon Cloudfront Website Testing
  • Website Testing
  • Amazon Cloudfront Website Testing
  • jQuery
  • RequireJS
  • Backbone
  • Javascript
  • Amazon Cloudfront
  • Website Testing Website Testing
  • Website Testing
  • AWS
  • Javascript
  • Amazon Cloudfront Website Testing
  • Website Testing
  • jQuery
  • Ruby
  • Amazon Cloudfront Website Testing
  • Website Testing
  • AWS
  • Amazon Cloudfront Website Testing
  • Website Testing
  • jQuery
  • Amazon Cloudfront Other
  • Website Testing
api* API Testing
  • API Testing
  • HTTP Website Testing
  • Website Testing
  • AWS
  • Bootstrap
  • Moment.js
  • jQuery
* API Testing

Out of scope

Target name Type Website Testing Website Testing Website Testing Website Testing Website Testing Website Testing Website Testing

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Soundcloud not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
If you believe you've identified a vulnerability on a system outside the scope, please reach out to before submitting.

Target information

Main website for SoundCloud users


Our various APIs for, our mobile applications, partners and others. See blow for an overview of different API endpoints. The public API ( documentation is available here:

  • /

Mobile-optimized version of

Payment site for purchasing SoundCloud Go and frontend to third-party payment platform

Cross-device sign-ins (e.g. signing in from Xbox) and password reset flow

SoundCloud’s embeddable player widget

Repost is Soundcloud's distribution platform that allows artists and labels to distribute their music, grow their audiences, and make money from their music on SoundCloud and beyond.

Rules of Engagement

User Accounts & Access

No credentials will be provided for this program. Researchers are encouraged to self-signup for and test using various types of user accounts (user accounts, artist accounts, etc.). DO NOT perform testing against any account you do not expressly own. You're free to create multiple accounts, but again, do not test against anything you don't personally own.

Please note that there is an authenticated partners portal, but account credentials will not be supplied for this program. Feel free to test the authentication functionality.

Testing Artist Pages & Comments

We don't want to affect production users or create illegitimate traffic for SoundCloud end-users. Testing input parameters (comments, messaging, etc.) should NOT be performed on real artist or user pages. However, you're free to create your own accounts to test these areas, or use the following designated artist page to test input functionality for vulnerabilities:

Testing Payment Processing

This program does not provide testing funds or reimbursements. However, if desired, researchers are welcome to use their own money to test paid SoundCloud features.

Focus Areas

  • Execution of arbitrary server-side code or system commands (RCE)
  • XSS vectors with potential for fast automatic replication / “wormability”
  • Account take-over
  • Access to non-streaming optimized audio assets
  • Access to exclusive content without paying
  • Manipulation of Related Tracks feature


  • Denial of Service or rate limiting attacks
  • Any situation that affects a user that is not expressly yours
  • Leaked user tokens through service that are not under the control of SoundCloud (leaked admin and stuff member tokens are accepted)
  • Copyright infringement report form (

Permitted Research

Whitehat security researchers are always welcome, and responsible research and disclosure is not a matter for our lawyers. However, we do not tolerate any of the following, which will always be reported to the relevant authorities:

  • any attempt to modify or destroy data (exempt for data specifically created in one or more test accounts for the purpose of the security research)
  • any attempt to interrupt or degrade the services we offer to our users
  • any attempt to execute a Denial of Service attack
  • any attempt to access a user's account or data (exempt for data specifically created in one or more test accounts for the purpose of the security research)
  • any research that involves violation of any applicable law

Safe harbor for researchers

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state or national laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through this program, or inquire via before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.