|Scope Type||Scope Name|
|android_application||Sprout Social for Android|
|ios_application||Sprout Social for iOS|
Out of Scope
|Scope Type||Scope Name|
|other||Anything that CNAMEs to a third party|
Sprout Social’s social media management platform will help you find, form and deepen real connections with the people who love your brand. We invite you to test and help secure our primary publicly facing assets. We appreciate your efforts in making SproutSocial more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!
For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
This program only awards points for VRT based submissions.
Target name | Type
app.sproutsocial.com | Website
app.sproutsocial.com/api | API
downloads.sproutsocial.com | Website
media.sproutsocial.com | Website
sproutsocial.com | Website
sproutsocial.com/insights | Website
sproutsocial.com/adapt/ | Website
sproutsocial.com/es/ | Website
sproutsocial.com/pt/ | Website
sproutsocial.com/mktapi | API
Sprout Social for Android | Android
Sprout Social for iOS | iOS
simplymeasured.com | Website
getbambu.com | Website
Target name | Type
jobboard.sproutsocial.com | Website
Anything that CNAMEs to a third party | Other
*.sproutsocial.com/wp-includes | Website
sproutsocial.com/wp-includes | Website
pagely.sproutsocial.com | Website
Testing is only authorized on the targets listed as In-Scope. Any domain/property of SproutSocial not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to firstname.lastname@example.org before submitting.
We generally appreciate any bug reports about systems that we use. However, we cannot authorize testing against third parties that we may contract with, and such testing may be in violation of their terms of service. In addition, for anything hosted on AWS, please avoid using network scanners, as this is prohibited by AWS unless you have prior permission (and even then is prohibited in many cases).
There are a few specific exclusions above. Please ensure that you have read and fully understood the target listing above before testing anything.
For new features to test, please see the following:
Sprout Social offers a free 30-day trial, so go ahead and make an account (no credit card needed to sign up). You may attach your own profiles to those accounts (this may be useful to give yourself more experience with the various parts of the app), or you may attach fake profiles of your choosing. We do not provide test accounts for use.
Researchers testing the mobile applications should note that we do not presently allow new account signups from the mobile apps. New trial accounts may be created on the site from a mobile browser, and subsequently used in the mobile applications.
When conducting vulnerability research according to this policy, we consider this research to be:
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through this program, or inquire via email@example.com before going any further.
This program follows Bugcrowd’s standard disclosure terms.
You may only test against an account for which you are the account owner or an agent authorized by the account owner to conduct such testing.
Sprout Social prohibits the following types of research:
Accessing, or attempting to access, data that does not belong to you
Executing, or attempting to execute, a denial of service attack
Sending, or attempting to send, unsolicited or unauthorized email, spam or other forms of unsolicited messages
Testing third party websites, applications or services that integrate with Sprout Social
Knowingly posting, transmitting, uploading, linking to, sending or storing any malware, viruses or similar harmful software
Research conducted by minors, individuals on sanctions lists or individuals in countries on sanctions lists
To all security researchers who follow this Responsible Disclosure Policy, Sprout Social promises to:
Acknowledge receipt of your report in a timely manner
Provide an estimated time frame for addressing the vulnerability
Notify you when the vulnerability is fixed
Publicly acknowledge your responsible disclosure, if you wish
Please do not publicly disclose vulnerability details without express written consent from Sprout Social.