Why Sprout's Bug Bounty?
By participating in Sprout Social's Bugcrowd bounty, you can have a real impact on a service used by more than 17,000 businesses worldwide. Your submissions will be reviewed by one of our friendly staff and, if valid, passed on to our engineers for resolution. We pride ourselves on quick turnaround times for our submissions (which are hopefully borne out by that counter that they show on the program page...) and a willingness to investigate every reported issue thoroughly.
How to participate
Sprout offers a free 30-day trial, so go ahead and make an account (no credit card needed to sign up). You may attach your own profiles to those accounts (this may be useful to give yourself more experience with the various parts of the app), or you may attach fake profiles of your choosing. We do not provide test accounts for your use.
Researchers testing the mobile applications should note that we do not presently allow new account signups from the mobile apps. New trial accounts may be created on the site from a mobile browser, however, and subsequently used in the mobile applications.
What kinds of things are you looking for?
All bug submissions are appreciated. However, bugs with higher ratings on the Bugcrowd Vulnerability Rating Taxonomy are especially appreciated. Obviously we like to not have those present in the codebase, but if they are, we want to know. Low quality, low effort submissions of low severity scan results from a standard scanner will, obviously, not be looked upon favorably. (I promise we're running system scanners and SSL Labs too.)
In general, shoot for higher rated issues in the rating taxonomy and avoid things that are specified to be avoided in the Standard Disclosure Terms.
- Sprout Social for iOS
- Sprout Social for Android
Out of scope
- Anything that CNAMEs to a third party
A note about the targets above
We generally appreciate any bug reports about systems that we use. However, we cannot authorize testing against third parties that we may contract with, and such testing may be in violation of their terms of service. In addition, for anything hosted on AWS, please avoid using network scanners, as this is prohibited by AWS unless you have prior permission (and even then is prohibited in many cases).
There are a few specific exclusions above. Please ensure that you have read and fully understood the target listing above before testing anything.
Standard Public Disclosure Terms
Before you begin, please read and understand the Standard Disclosure Terms (available at: https://blog.bugcrowd.com/standard-disclosure-terms/).
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for Informational (P5) findings. Learn more about Bugcrowd's VRT.
You may only test against an account for which you are the account owner or an agent authorized by the account owner to conduct such testing.
Sprout Social prohibits the following types of research:
- Accessing, or attempting to access, data that does not belong to you
- Executing, or attempting to execute, a denial of service attack
- Sending, or attempting to send, unsolicited or unauthorized email, spam or other forms of unsolicited messages
- Testing third party websites, applications or services that integrate with Sprout Social
- Knowingly posting, transmitting, uploading, linking to, sending or storing any malware, viruses or similar harmful software
- Research conducted by minors, individuals on sanctions lists or individuals in countries on sanctions lists
To all security researchers who follow this Responsible Disclosure Policy, Sprout Social promises to:
- Acknowledge receipt of your report in a timely manner
- Provide an estimated time frame for addressing the vulnerability
- Notify you when the vulnerability is fixed
- Publicly acknowledge your responsible disclosure, if you wish
Please do not publicly disclose vulnerability details without express written consent from Sprout Social.