Reporting a security vulnerability

At SoundCloud, we take the safety of our users very seriously. If you believe you have discovered a possible security vulnerability on our platform, API(s), app(s), or in any other SoundCloud service, please help us to fix it as quickly as possible by discovering your findings in accordance with this policy.

Publicly disclosing a vulnerability can put the entire community at risk, so we urge you to keep matters private until a fix can be rolled out from our side.

How to report a security vulnerability

If you believe you have found a security vulnerability on SoundCloud, please let us know right away by filling out our Responsible Disclosure form.

Please include as much information as possible in your report, including a way for us to reproduce the issue.
We will confirm receipt of valid reports within 24 hours (on a business day); a member of the security team will look into your finding within a week’s time, and get back to you next. 

Please do not make your research or findings public or share them with anyone until we have had a chance to investigate and roll out a fix.

Permitted Research

Whitehat security researchers are always welcome, and responsible research and disclosure is not a matter for our lawyers. However, we do not tolerate any of the following, which will always be reported to the relevant authorities:
  • any attempt to modify or destroy data
  • any attempt to interrupt or degrade the services we offer to our users
  • any attempt to execute a Denial of Service attack
  • any attempt to access a user's account or data
  • any research that involves violation of any applicable law

Please only test for vulnerabilities on SoundCloud systems - systems hosted by third parties (e.g. blog.soundcloud.com, help.soundcloud.com) are NOT within scope of this policy.

Reward Program

Researchers that responsibly disclose qualifying issues in accordance with this policy may be eligible for a reward and/or inclusion in our Hall of Fame.

Qualifying issues are web vulnerabilities with a valid attack scenario, which demonstrate exploitability and have significant impact on our users or our infrastructure, including:
  • Authentication flaws
  • Circumventing of platform and/or privacy permissions
  • Privilege escalation
  • Clickjacking
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • SQL injection
  • Arbitrary redirect
  • Server-side code execution (RCE)

Issues that do not qualify include:
  • User enumeration
  • CSRF on logout
  • Denial of Service (DoS)
  • Minor information disclosures (e.g. server software/version)
  • Lack of the Secure flag on non-sensitive cookies
  • Lack of the HTTP Only flag on non-sensitive cookies
  • Spamming
  • Social engineering of vulnerabilities requiring exceedingly unlikely user interaction
  • Security vulnerabilities in third-party websites and applications that integrate with SoundCloud
  • Issues affecting outdated or unpatched browsers
  • Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves be susceptible to attack

Whether or not an issue is a qualifying issue, as well as eligibility for a reward and/or inclusion in our Hall of Fame, are decisions taken by SoundCloud in its discretion. Only the first researcher to report a specific qualifying issue is eligible for a reward and/or inclusion in our Hall of Fame, and we reserve the right to cancel this program at any time without notice.

Hall of Fame

On behalf of our millions of users, we would like to give a shout-out here on our Hall of Fame to all security researchers that have helped us keep SoundCloud safe by reporting a security vulnerability to us responsibly - we really appreciate it!
Michael Cowell (compl3x)< joernchen of Phenoelit Egor Homakov Rafael Pablos Jonathan Metzman
Mariano Di Martino M.R.Vignesh Kumar (@vigneshkumarmr) Atulkumar Hariba Shedage Nakul Mohan (@Nakul_Mohan_Cia) Achanta Varun Chowdary (@varunmuna53)
Ajay Singh Negi Thamatam Deepak Mohamed Ramadan Simone Memoli (@Simon90_Italy) Yash Pandya (@eryash9_yash)
Yuji Kosuga Kamil Sevi (@kamilsevi) Emanuel Bronshtein Ketan Sirigiri (@Cigniti) Abdul Rehman (@Abdul_R3hman)
Adam Ziaja Rafay Baloch (@rafaybaloch) Frans Rosén (@detectify) Garry Bacalso Abhibandu Kafle (@kabhi_kav)
Nils Jünemann Maxim Rupp Abhinav Karnawat \/ w4rri0r \/ Hammad Shamsi Shahmeer Amir (@Shahmeer_Amir)
Mathias Karlsson (@detectify) Saqib Kamran (@saqibkamran) Jaime Manteiga Max Prietzel Zeyad Khaled Mohamed (@zeyadk99)
Riyaz Walikar Muhammad Waqar (@MuhammadWaqar_9) Ehraz Ahmed (@securityexe) Waleed Ezz Eldin (WIBF) Jeroen Blevi (@triponoid)
Veli-Pekka Vainio (@veeeeep) Jatinpreet Singh (@SillyGeek) Sasi Levi (@sasi2103) Dennis Baaten (@dennisbaaten) Victor Hylejam Flores Olivares (@victorhylejam)
Tejash Patel (@tejash1991) Ankit Bharathan Javid Hussain (@javidhussain21) Momen Basel (@momenbassel) Ahmed Y. Elmogy (@mogyhacker)
Anand Prakash (@sehacure) Abdelhamid Aboulouafa (@_ham1d) Ashar Javed (@soaj1664ashar) Abdul Haq Khokhar (@abdulhaqkhokhar) Ahmed Mehtab (@ahmedmehtabPK)
Denis Kolegov (@dnkolegov) Masato Kinugawa Luis Felipe Teixeira (@vergl4s) Mazen Gamal Mesbah (@MazenGamal) Koutrouss Naddara (@KoutroussNaddar)
Siddhesh Gawde (pen3t3r) Ali Hasan Ghauri (@alihasanghauri) J. M. Gazzlay (@gazly) Evan Ricafort (@evanricafort) Haider Kamal (@haiderkamal122)
Tom Van Goethem (@tomvangoethem) Mathias Bynens (@mathias) Umer Shakil (@umer_djzz) Mohammed Fayez Albanna Tony Trummer
Mohamed Abdelbaset Elnoby (@SymbianSyMoh) Hamid Ashraf (@hamihax) Saurabh Gandhi (Sam Gandhi) Paulos Yibelo Sergey Bobrov (@Black2Fan)
Dhaval Chauhan (@17haval) Ashutosh Kumar (@ccfisinfo) Ashish Pathak (@pathakbackz) C Vishnu Vardhan Reddy (@Vishnu_dfx) Callum Carney
Ahmed Adel Abdelfattah (@00SystemError00) Rui Silva (@ruisilva2015) Shahar Albeck (@l33terally) Saeed Hashem Alyssa Herrera
Yogesh Modi Giorgos Giannoutsos (@nuc) Sam Berson (@SamBerson) Khaled Hassan Ayad (@KhaledAzrail) Kamil Hismatullin
Arne Swinnen (@ArneSwinnen) Eusebiu Blindu (@testalways) Diogo Real Tanner Emek Amarjit Signh (@testieaccou1234)
Mustafa (strukt) Hasan (@strukt93) Frank Ng (@fng) Harry M. Gertos (@GertyBoy27)    

​If you have previously disclosed a security issue in accordance with this policy and believe your name is missing from this list, please email us at whitehat@soundcloud.com.