At SoundCloud, we take the safety of our users very seriously. If you believe you have discovered a possible security vulnerability on our app(s), API(s), platform, or in any other SoundCloud service, please help us to fix it as quickly as possible by submitting your findings in accordance with this policy.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Last updated 10 Apr 2019 19:59:55 UTC
Technical severity | Reward range
p1 Critical | $1,200 - $1,500
p2 Severe | $700 - $1,000
p3 Moderate | $300 - $500
p4 Low | $100 - $300
P5 submissions do not receive any rewards for this program.
Target name | Type
soundcloud.com | Website
SoundCloud iOS app | iOS
SoundCloud Android app | Android
SoundCloud iOS Pulse | iOS
SoundCloud Android Pulse | Android
m.soundcloud.com | Website
mobi.soundcloud.com | Website
checkout.soundcloud.com | Website
developers.soundcloud.com | Website
secure.soundcloud.com | Website
w.soundcloud.com | Website
api.soundcloud.com | API
api-deck.soundcloud.com | API
api-mobi.soundcloud.com | API
api-mobile.soundcloud.com | API
api-mobile-creators.soundcloud.com | API
api-partners.soundcloud.com | API
api-v2.soundcloud.com | API
api-widget.soundcloud.com | API
soundcloudmail.com | Other
Target name | Type
advertising.soundcloud.com | Website
blog.soundcloud.com | Website
community.soundcloud.com | Website
copyright.soundcloud.com | Website
help.soundcloud.com | Website
press.soundcloud.com | Website
status.soundcloud.com | Website
Testing is only authorized on the targets listed as In-Scope. Any
domain/property of Soundcloud not listed in the targets section is out of
scope. This includes any/all subdomains not listed above.
If you believe you've identified a vulnerability on a system outside the scope, please reach out to firstname.lastname@example.org before submitting.
Main website for SoundCloud users
SoundCloud owns two major mobile applications
Our various APIs for soundcloud.com, our mobile applications, partners and
API docs available here: https://developers.soundcloud.com/docs/api/guide
Mobile-optimized version of soundcloud.com
Payment site for purchasing SoundCloud Go and frontend to third-party payment platform
Cross-device sign-ins (e.g. signing in from Xbox) and password reset flow
SoundCloud’s embeddable player widget
No credentials will be provided for this program. Researchers are encouraged to self-signup for and test using various types of user accounts (user accounts, artist accounts, etc.). DO NOT perform testing against any account you do not expressly own. You're free to create multiple accounts, but again, do not test against anything you don't personally own.
Please note that there is an authenticated partners portal, but account credentials will not be supplied for this program. Feel free to test the authentication functionality.
We don't want to affect production users or create illegitimate traffic for SoundCloud end-users. Testing input parameters (comments, messaging, etc.) should NOT be performed on real artist or user pages. However, you're free to create your own accounts to test these areas, or use the following designated artist page to test input functionality for vulnerabilities: https://soundcloud.com/hobnobclanandthereflux
This program does not provide testing funds or reimbursements. However, if desired, researchers are welcome to use their own money to test paid SoundCloud features.
Whitehat security researchers are always welcome, and responsible research and disclosure is not a matter for our lawyers. However, we do not tolerate any of the following, which will always be reported to the relevant authorities:
When conducting vulnerability research according to this policy, we consider this research to be:
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through this program, or inquire via email@example.com before going any further.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
Contact us if you want more information.