Smule welcomes working with the security community to resolve security
vulnerabilities in order to keep our customers safe. We will make a best
effort to respond to incoming reports and keep you informed about our progress
toward resolving any issues.
- If you have identified a potential security vulnerability in our technology, please submit us a detailed report with reproducible steps.
- Follow HackerOne's disclosure guidelines.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Any production public-facing website owned & operated by Smule. Any
application published on the Apple App Store or Google Play Store published by
Restrictions & Exclusions
The use of automated scanning against the web or API are strictly prohibited
and will result in IP bans along with rejection of any findings
The following issues fall outside the scope of our VDP:
- No Social engineering attacks (e.g. phishing, vishing, smishing)
- No physical attacks of Smule’s office or data centers are permitted
- No Denial-of-Service attacks
- Brute force attacks
- No beta or other pre-production/testing environments
- No 3rd party party hosted applications (ex: status pages, customer support systems)
- Outdated TLS configurations which remain to support legacy Android
- Clickjacking attacks without a documented series of clicks that produce a vulnerability
- Email (including SPF/DKIM/DMARC)
- Missing HTTP headers, unless a vulnerability can be demonstrated
- Assumed vulnerabilities based upon version numbers only
- Insecure cookie settings for non-sensitive cookies
- Bugs requiring exceedingly unlikely user interaction
- Smule reserves the right to make the final decision on the classification of all vulnerability reports. We may mark reports as duplicate, non-applicable or otherwise, at our own discretion.