Context

The Deezer platform provides an innovative music streaming service that has attracted millions of users worldwide. Deezer lets them instantly play the music they want to hear and guarantees high-quality sound, diversification and personalized music curation.

Deezer is committed to working with security experts across the world to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, please let us know about it and we'll do our best to quickly correct the issue.

We take security issues seriously and we're big believers in protecting privacy and security. Our bug bounty programs has been put in place to give a tip of the hat to software security researchers.

Scope

To be eligible for a reward, note that we typically require the issue report to have some actual security impact in a realistic scenario. This does not mean you need to fully exploit issues. Providing the information you have will most of the time allow us to analyze your report and draw conclusions on the impact.

If your Deezer account is deactivated by our system because it detected a malicious attempt, please contact the Bounty Program manager to ask for its re-activation.

We are interested in hearing about critical security issues on the following scope. If you find a vulnerability on an unlisted domain or scope, create short vulnerability report before going to deeply into an analysis so that we can answer you about its validity and criticality.

If you report a vulnerability our teams are already aware of, we'll keep you updated about

Note that it can happen sometimes that our teams are already aware and working on a vulnerability before your reported it, we'll thank you for having reported it nevertheless in that case the report won't be eligible for a reward.

Rules for us

• We will respond as quickly as possible to your submission
• We will keep you updated as we work to fix the bug you submitted
• We will not take legal action against you if you play by the rules
• We reserve us the right to cancel this program or change its scope at any time
• The decision to pay a reward is at our discretion

Rules for you

• Don’t attempt to gain access to another user’s account or data
• Do not impact other users with your testing
• Don’t perform attack that could harm the reliability/integrity of our services or data
• Don’t publicly disclose a bug before it has been fixed
• Don’t use scanners or automated tools over a long period of time to find vulnerabilities (let us know before doing such things!)
• Never attempt non-technical attacks such as social engineering, phishing or physical attacks
• Disclose the vulnerability report exclusively through yeswehack.com

Thanks

Currently, the scope of our bug bounty program is limited to certain vulnerabilities and scope. However, we are happy to thank everyone who submits a non-high-severity vulnerabilities through bonus points. Please note that Deezer will determine in its discretion whether a reward should be granted and the amount of the reward. But we aim to be fair.

Thank you for helping keep Deezer safe!

Any non-security related issue will not be eligible for a money reward. Bugs, wrong interface or API behavior, etc. should be sent to http://support.deezer.com/requests/new