Banner object (1)

Hack and Take the Cash !

816 bounties in database
  Back Link to program      
15/04/2019
SoundCloud logo
Thanks
Gift
Hall of Fame
Reward

Reward

100 $ 

SoundCloud

At SoundCloud, we take the safety of our users very seriously. If you believe you have discovered a possible security vulnerability on our app(s), API(s), platform, or in any other SoundCloud service, please help us to fix it as quickly as possible by submitting your findings in accordance with this policy.

Ratings/Rewards

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Reward Range

Last updated 5 Jun 2019 18:06:39 UTC

Technical severity | Reward range
---|---
p1 Critical | $1,200 - $1,500
p2 Severe | $700 - $1,000
p3 Moderate | $300 - $500
p4 Low | $100 - $300

P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name | Type
---|---
soundcloud.com | Website
m.soundcloud.com | Website
mobi.soundcloud.com | Website
checkout.soundcloud.com | Website
developers.soundcloud.com | Website
secure.soundcloud.com | Website
w.soundcloud.com | Website
soundcloudmail.com | Other
api*.soundcloud.com | API

Out of scope

Target name | Type
---|---
advertising.soundcloud.com | Website
blog.soundcloud.com | Website
community.soundcloud.com | Website
copyright.soundcloud.com | Website
help.soundcloud.com | Website
press.soundcloud.com | Website
status.soundcloud.com | Website

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Soundcloud not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@bugcrowd.com before submitting.


Target information

soundcloud.com

Main website for SoundCloud users

api*.soundcloud.com

Our various APIs for soundcloud.com, our mobile applications, partners and others. See blow for an overview of different API endpoints. The public API (api.soundcloud.com) documentation is available here: https://developers.soundcloud.com/docs/api/guide

  • api.soundcloud.com
  • api-auth.soundcloud.com
  • api-curators.soundcloud.com
  • api-deck.soundcloud.com
  • api-fortune.soundcloud.com
  • api-mobile-creators.soundcloud.com
  • api-mobile.soundcloud.com
  • api-mobi.soundcloud.com
  • api-partners.soundcloud.com
  • api-playback.soundcloud.com
  • api-pss.soundcloud.com
  • api-v2.soundcloud.com
  • api-widget.soundcloud.com

m.soundcloud.com / mobi.soundcloud.com

Mobile-optimized version of soundcloud.com

checkout.soundcloud.com

Payment site for purchasing SoundCloud Go and frontend to third-party payment platform

secure.soundcloud.com

Cross-device sign-ins (e.g. signing in from Xbox) and password reset flow

w.soundcloud.com

SoundCloud’s embeddable player widget


Rules of Engagement

User Accounts & Access

No credentials will be provided for this program. Researchers are encouraged to self-signup for and test using various types of user accounts (user accounts, artist accounts, etc.). DO NOT perform testing against any account you do not expressly own. You're free to create multiple accounts, but again, do not test against anything you don't personally own.

Please note that there is an authenticated partners portal, but account credentials will not be supplied for this program. Feel free to test the authentication functionality.

Testing Artist Pages & Comments

We don't want to affect production users or create illegitimate traffic for SoundCloud end-users. Testing input parameters (comments, messaging, etc.) should NOT be performed on real artist or user pages. However, you're free to create your own accounts to test these areas, or use the following designated artist page to test input functionality for vulnerabilities: https://soundcloud.com/hobnobclanandthereflux

Testing Payment Processing

This program does not provide testing funds or reimbursements. However, if desired, researchers are welcome to use their own money to test paid SoundCloud features.

Focus Areas

  • Execution of arbitrary server-side code or system commands (RCE)
  • XSS vectors with potential for fast automatic replication / “wormability”
  • Account take-over
  • Access to non-streaming optimized audio assets
  • Access to exclusive content without paying
  • Manipulation of Related Tracks feature

Out-of-Scope


Permitted Research

Whitehat security researchers are always welcome, and responsible research and disclosure is not a matter for our lawyers. However, we do not tolerate any of the following, which will always be reported to the relevant authorities:

  • any attempt to modify or destroy data (exempt for data specifically created in one or more test accounts for the purpose of the security research)
  • any attempt to interrupt or degrade the services we offer to our users
  • any attempt to execute a Denial of Service attack
  • any attempt to access a user's account or data (exempt for data specifically created in one or more test accounts for the purpose of the security research)
  • any research that involves violation of any applicable law

Safe harbor for researchers

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state or national laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through this program, or inquire via support@bugcrowd.com before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

In Scope

Scope Type Scope Name
web_application

soundcloud.com

web_application

m.soundcloud.com

web_application

mobi.soundcloud.com

web_application

checkout.soundcloud.com

web_application

developers.soundcloud.com

web_application

secure.soundcloud.com

web_application

w.soundcloud.com

web_application

soundcloudmail.com

web_application

api*.soundcloud.com

Out of Scope

Scope Type Scope Name
web_application

advertising.soundcloud.com

web_application

blog.soundcloud.com

web_application

community.soundcloud.com

web_application

copyright.soundcloud.com

web_application

help.soundcloud.com

web_application

press.soundcloud.com

web_application

status.soundcloud.com


This program leverage 16 scopes, in 1 scopes categories.

FireBounty © 2015-2019

Legal notices