Sprout Social

  • Safe harbor

We no longer offer point rewards for submissions on this program. Please refer to our blog post: How Bugcrowd sees VDPs and points for more details.

Program stats

  • Vulnerabilities accepted 201
  • Validation within 3 days 75% of submissions are accepted or rejected within 3 days

Latest hall of famers

Recently joined this program


Please note: This program or engagement does not allow disclosure. You may not release information about vulnerabilities found in this program or engagement to the public.

Why Sprout's Bug Bounty?

Sprout Social’s social media management platform will help you find, form and deepen real connections with the people who love your brand. We invite you to test and help secure our primary publicly facing assets. We appreciate your efforts in making SproutSocial more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!


For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.


Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

Learn more about Bugcrowd’s VRT.

You may only test against an account for which you are the account owner or an agent authorized by the account owner to conduct such testing.

Sprout Social prohibits the following types of research:

  • Accessing, or attempting to access, data that does not belong to you

  • Executing, or attempting to execute, a denial of service attack

  • Sending, or attempting to send, unsolicited or unauthorized email, spam or other forms of unsolicited messages

  • Testing third party websites, applications or services that integrate with Sprout Social

  • Knowingly posting, transmitting, uploading, linking to, sending or storing any malware, viruses or similar harmful software

  • Research conducted by minors, individuals on sanctions lists or individuals in countries on sanctions lists

To all security researchers who follow this Responsible Disclosure Policy, Sprout Social promises to:

  • Acknowledge receipt of your report in a timely manner

  • Provide an estimated time frame for addressing the vulnerability

  • Notify you when the vulnerability is fixed

  • Publicly acknowledge your responsible disclosure, if you wish

Please do not publicly disclose vulnerability details without express written consent from Sprout Social.