At SoundCloud, we take the safety of our users very seriously. If you believe you have discovered a possible security vulnerability on our app(s), API(s), platform, or in any other SoundCloud service, please help us to fix it as quickly as possible by submitting your findings in accordance with this policy.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Please ensure to kindly include a video recording with your submission, showing the steps taken to find the vulnerability.
|Technical severity||Reward range|
|p1 Critical||$4,100 - $4,500|
|p2 Severe||$1,500 - $1,750|
|p3 Moderate||$600 - $850|
|p4 Low||$200 - $250|
Out of scope
Testing is only authorized on the targets listed as In-Scope. Any domain/property of Soundcloud not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
If you believe you've identified a vulnerability on a system outside the scope, please reach out to email@example.com before submitting.
Main website for SoundCloud users
Our various APIs for soundcloud.com, our mobile applications, partners and others. See blow for an overview of different API endpoints. The public API (api.soundcloud.com) documentation is available here: https://developers.soundcloud.com/docs/api/guide
m.soundcloud.com / mobi.soundcloud.com
Mobile-optimized version of soundcloud.com
Payment site for purchasing SoundCloud Go and frontend to third-party payment platform
Cross-device sign-ins (e.g. signing in from Xbox) and password reset flow
SoundCloud’s embeddable player widget
Repost is Soundcloud's distribution platform that allows artists and labels to distribute their music, grow their audiences, and make money from their music on SoundCloud and beyond.
Rules of Engagement
User Accounts & Access
No credentials will be provided for this program. Researchers are encouraged to self-signup for and test using various types of user accounts (user accounts, artist accounts, etc.). DO NOT perform testing against any account you do not expressly own. You're free to create multiple accounts, but again, do not test against anything you don't personally own.
Please note that there is an authenticated partners portal, but account credentials will not be supplied for this program. Feel free to test the authentication functionality.
Testing Artist Pages & Comments
We don't want to affect production users or create illegitimate traffic for SoundCloud end-users. Testing input parameters (comments, messaging, etc.) should NOT be performed on real artist or user pages. However, you're free to create your own accounts to test these areas, or use the following designated artist page to test input functionality for vulnerabilities: https://soundcloud.com/hobnobclanandthereflux
Testing Payment Processing
This program does not provide testing funds or reimbursements. However, if desired, researchers are welcome to use their own money to test paid SoundCloud features.
- Execution of arbitrary server-side code or system commands (RCE)
- XSS vectors with potential for fast automatic replication / “wormability”
- Account take-over
- Access to non-streaming optimized audio assets
- Access to exclusive content without paying
- Manipulation of Related Tracks feature
- Denial of Service or rate limiting attacks
- Any situation that affects a user that is not expressly yours
- Leaked user tokens through service that are not under the control of SoundCloud (leaked admin and stuff member tokens are accepted)
- Copyright infringement report form (https://soundcloud.com/pages/copyright/report/form)
Whitehat security researchers are always welcome, and responsible research and disclosure is not a matter for our lawyers. However, we do not tolerate any of the following, which will always be reported to the relevant authorities:
- any attempt to modify or destroy data (exempt for data specifically created in one or more test accounts for the purpose of the security research)
- any attempt to interrupt or degrade the services we offer to our users
- any attempt to execute a Denial of Service attack
- any attempt to access a user's account or data (exempt for data specifically created in one or more test accounts for the purpose of the security research)
- any research that involves violation of any applicable law
Safe harbor for researchers
When conducting vulnerability research according to this policy, we consider this research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state or national laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
- You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through this program, or inquire via firstname.lastname@example.org before going any further.