SoundCloud

  • $100 – $1,500 per vulnerability
  • Safe harbor
  • Managed by Bugcrowd

Program stats

57 vulnerabilities rewarded

Validation within 5 days
75% of submissions are accepted or rejected within 5 days

$271.42 average payout (last 3 months)

Latest hall of famers

Recently joined this program

502 total

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

At SoundCloud, we take the safety of our users very seriously. If you believe you have discovered a possible security vulnerability on our app(s), API(s), platform, or in any other SoundCloud service, please help us to fix it as quickly as possible by submitting your findings in accordance with this policy.

Ratings/Rewards

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Reward Range

Last updated
Technical severity Reward range
p1 Critical $1,200 - $1,500
p2 Severe $700 - $1,000
p3 Moderate $300 - $500
p4 Low $100 - $300
P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name Type
soundcloud.com Website
m.soundcloud.com Website
mobi.soundcloud.com Website
checkout.soundcloud.com Website
developers.soundcloud.com Website
secure.soundcloud.com Website
w.soundcloud.com Website
soundcloudmail.com Other
api*.soundcloud.com API

Out of scope

Target name Type
advertising.soundcloud.com Website
blog.soundcloud.com Website
community.soundcloud.com Website
copyright.soundcloud.com Website
help.soundcloud.com Website
press.soundcloud.com Website
status.soundcloud.com Website

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Soundcloud not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@bugcrowd.com before submitting.


Target information

soundcloud.com

Main website for SoundCloud users

api*.soundcloud.com

Our various APIs for soundcloud.com, our mobile applications, partners and others. See blow for an overview of different API endpoints. The public API (api.soundcloud.com) documentation is available here: https://developers.soundcloud.com/docs/api/guide

  • api.soundcloud.com
  • api-auth.soundcloud.com
  • api-curators.soundcloud.com
  • api-deck.soundcloud.com
  • api-fortune.soundcloud.com
  • api-mobile-creators.soundcloud.com
  • api-mobile.soundcloud.com
  • api-mobi.soundcloud.com
  • api-partners.soundcloud.com
  • api-playback.soundcloud.com
  • api-pss.soundcloud.com
  • api-v2.soundcloud.com
  • api-widget.soundcloud.com

m.soundcloud.com / mobi.soundcloud.com

Mobile-optimized version of soundcloud.com

checkout.soundcloud.com

Payment site for purchasing SoundCloud Go and frontend to third-party payment platform

secure.soundcloud.com

Cross-device sign-ins (e.g. signing in from Xbox) and password reset flow

w.soundcloud.com

SoundCloud’s embeddable player widget


Rules of Engagement

User Accounts & Access

No credentials will be provided for this program. Researchers are encouraged to self-signup for and test using various types of user accounts (user accounts, artist accounts, etc.). DO NOT perform testing against any account you do not expressly own. You're free to create multiple accounts, but again, do not test against anything you don't personally own.

Please note that there is an authenticated partners portal, but account credentials will not be supplied for this program. Feel free to test the authentication functionality.

Testing Artist Pages & Comments

We don't want to affect production users or create illegitimate traffic for SoundCloud end-users. Testing input parameters (comments, messaging, etc.) should NOT be performed on real artist or user pages. However, you're free to create your own accounts to test these areas, or use the following designated artist page to test input functionality for vulnerabilities: https://soundcloud.com/hobnobclanandthereflux

Testing Payment Processing

This program does not provide testing funds or reimbursements. However, if desired, researchers are welcome to use their own money to test paid SoundCloud features.

Focus Areas

  • Execution of arbitrary server-side code or system commands (RCE)
  • XSS vectors with potential for fast automatic replication / “wormability”
  • Account take-over
  • Access to non-streaming optimized audio assets
  • Access to exclusive content without paying
  • Manipulation of Related Tracks feature

Out-of-Scope


Permitted Research

Whitehat security researchers are always welcome, and responsible research and disclosure is not a matter for our lawyers. However, we do not tolerate any of the following, which will always be reported to the relevant authorities:

  • any attempt to modify or destroy data (exempt for data specifically created in one or more test accounts for the purpose of the security research)
  • any attempt to interrupt or degrade the services we offer to our users
  • any attempt to execute a Denial of Service attack
  • any attempt to access a user's account or data (exempt for data specifically created in one or more test accounts for the purpose of the security research)
  • any research that involves violation of any applicable law

Safe harbor for researchers

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state or national laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through this program, or inquire via support@bugcrowd.com before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.