Banner object (1)

Hack and Take the Cash !

844 bounties in database
  Back Link to program      
30/06/2015
Sprout Social logo
Thanks
Gift
Hall of Fame
Reward

Sprout Social

Why Sprout's Bug Bounty?

Sprout Social’s social media management platform will help you find, form and deepen real connections with the people who love your brand. We invite you to test and help secure our primary publicly facing assets. We appreciate your efforts in making SproutSocial more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!

Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

This program only awards points for VRT based submissions.

Targets

In scope

Target name | Type
---|---
app.sproutsocial.com | Website
app.sproutsocial.com/api | API
downloads.sproutsocial.com | Website
media.sproutsocial.com | Website
sproutsocial.com | Website
sproutsocial.com/insights | Website
sproutsocial.com/adapt/ | Website
sproutsocial.com/es/ | Website
sproutsocial.com/pt/ | Website
sproutsocial.com/mktapi | API
Sprout Social for Android | Android
Sprout Social for iOS | iOS
simplymeasured.com | Website
getbambu.com | Website

Out of scope

Target name | Type
---|---
jobboard.sproutsocial.com | Website
Anything that CNAMEs to a third party | Other
*.sproutsocial.com/wp-includes | Website
sproutsocial.com/wp-includes | Website
pagely.sproutsocial.com | Website

Testing is only authorized on the targets listed as In-Scope. Any domain/property of SproutSocial not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@bugcrowd.com before submitting.

A note about the targets above

We generally appreciate any bug reports about systems that we use. However, we cannot authorize testing against third parties that we may contract with, and such testing may be in violation of their terms of service. In addition, for anything hosted on AWS, please avoid using network scanners, as this is prohibited by AWS unless you have prior permission (and even then is prohibited in many cases).

There are a few specific exclusions above. Please ensure that you have read and fully understood the target listing above before testing anything.

For new features to test, please see the following:
https://sproutsocial.com/insights/release/


Credentials:

Sprout Social offers a free 30-day trial, so go ahead and make an account (no credit card needed to sign up). Use your @bugcrowdninja.com email addresses when signing up. You may attach your own profiles to those accounts (this may be useful to give yourself more experience with the various parts of the app), or you may attach fake profiles of your choosing. We do not provide test accounts for use.

Researchers testing the mobile applications should note that we do not presently allow new account signups from the mobile apps. New trial accounts may be created on the site from a mobile browser, and subsequently used in the mobile applications.


Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through this program, or inquire via support@bugcrowd.com before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

Learn more about Bugcrowd’s VRT.

You may only test against an account for which you are the account owner or an agent authorized by the account owner to conduct such testing.

Sprout Social prohibits the following types of research:

  • Accessing, or attempting to access, data that does not belong to you

  • Executing, or attempting to execute, a denial of service attack

  • Sending, or attempting to send, unsolicited or unauthorized email, spam or other forms of unsolicited messages

  • Testing third party websites, applications or services that integrate with Sprout Social

  • Knowingly posting, transmitting, uploading, linking to, sending or storing any malware, viruses or similar harmful software

  • Research conducted by minors, individuals on sanctions lists or individuals in countries on sanctions lists

To all security researchers who follow this Responsible Disclosure Policy, Sprout Social promises to:

  • Acknowledge receipt of your report in a timely manner

  • Provide an estimated time frame for addressing the vulnerability

  • Notify you when the vulnerability is fixed

  • Publicly acknowledge your responsible disclosure, if you wish

Please do not publicly disclose vulnerability details without express written consent from Sprout Social.

In Scope

Scope Type Scope Name
android_application

Sprout Social for Android

ios_application

Sprout Social for iOS

web_application

app.sproutsocial.com

web_application

app.sproutsocial.com/api

web_application

downloads.sproutsocial.com

web_application

media.sproutsocial.com

web_application

sproutsocial.com

web_application

sproutsocial.com/insights

web_application

sproutsocial.com/adapt/

web_application

sproutsocial.com/es/

web_application

sproutsocial.com/pt/

web_application

sproutsocial.com/mktapi

web_application

simplymeasured.com

web_application

getbambu.com

Out of Scope

Scope Type Scope Name
other

Anything that CNAMEs to a third party

web_application

jobboard.sproutsocial.com

web_application

*.sproutsocial.com/wp-includes

web_application

sproutsocial.com/wp-includes

web_application

pagely.sproutsocial.com


This program crawled on the 2015-06-30 is sorted as bounty.

FireBounty © 2015-2019

Legal notices