Why Sprout's Bug Bounty?
Sprout Social’s social media management platform will help you find, form and deepen real connections with the people who love your brand. We invite you to test and help secure our primary publicly facing assets. We appreciate your efforts in making SproutSocial more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
This program follows Bugcrowd’s standard disclosure terms.
You may only test against an account for which you are the account owner or an agent authorized by the account owner to conduct such testing.
Sprout Social prohibits the following types of research:
- Accessing, or attempting to access, data that does not belong to you
- Executing, or attempting to execute, a denial of service attack
- Sending, or attempting to send, unsolicited or unauthorized email, spam or other forms of unsolicited messages
- Testing third party websites, applications or services that integrate with Sprout Social
- Knowingly posting, transmitting, uploading, linking to, sending or storing any malware, viruses or similar harmful software
- Research conducted by minors, individuals on sanctions lists or individuals in countries on sanctions lists
To all security researchers who follow this Responsible Disclosure Policy, Sprout Social promises to:
- Acknowledge receipt of your report in a timely manner
- Provide an estimated time frame for addressing the vulnerability
- Notify you when the vulnerability is fixed
- Publicly acknowledge your responsible disclosure, if you wish
Please do not publicly disclose vulnerability details without express written consent from Sprout Social.