×

Responsible Disclosure

At SoundCloud, we take the safety of our users very seriously. If you believe you have discovered a possible security vulnerability on our platform, API(s), app(s), or in any other SoundCloud service, please help us to fix it as quickly as possible by discovering your findings in accordance with this policy.

Publicly disclosing a vulnerability can put the entire community at risk, so we urge you to keep matters private until a fix can be rolled out from our side.

Reporting Issues

  • If you believe you have found a security vulnerability on SoundCloud, please let us know right away by filling out our Responsible Disclosure form here

  • Please include as much information as possible in your report, including a way for us to reproduce the issue.
  • We will confirm receipt of valid reports within 24 hours (on a business day); a member of the security team will look into your finding within a week’s time, and get back to you next.

  • Please do not make your research or findings public or share them with anyone until we have had a chance to investigate and roll out a fix.

Permitted Research

Whitehat security researchers are always welcome, and responsible research and disclosure is not a matter for our lawyers. However, we do not tolerate any of the following, which will always be reported to the relevant authorities:

  • any attempt to modify or destroy data

  • any attempt to interrupt or degrade the services we offer to our users

  • any attempt to execute a Denial of Service attack

  • any attempt to access a user's account or data

  • any research that involves violation of any applicable law

Please only test for vulnerabilities on SoundCloud systems - systems hosted by third parties (e.g. blog.soundcloud.com, help.soundcloud.com) are NOT within scope of this policy.

Reward Program

Researchers that responsibly disclose qualifying issues in accordance with this policy may be eligible for a reward and/or inclusion in our Hall of Fame.

Qualifying issues are web vulnerabilities with a valid attack scenario, which demonstrate exploitability and have significant impact on our users or our infrastructure, including:

  • Authentication flaws

  • Circumventing of platform and/or privacy permissions

  • Privilege escalation

  • Clickjacking

  • Cross-site scripting (XSS)

  • Cross-site request forgery (CSRF)

  • SQL injection

  • Arbitrary redirect

  • Server-side code execution (RCE)

Issues that do not qualify include:

  • User enumeration

  • CSRF on logout

  • Denial of Service (DoS)

  • Minor information disclosures (e.g. server software/version)

  • Lack of the Secure flag on non-sensitive cookies

  • Lack of the HTTP Only flag on non-sensitive cookies

  • Spamming

  • Social engineering of vulnerabilities requiring exceedingly unlikely user interaction

  • Security vulnerabilities in third-party websites and applications that integrate with SoundCloud

  • Issues affecting outdated or unpatched browsers

  • Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves be susceptible to attack

Whether or not an issue is a qualifying issue, as well as eligibility for a reward and/or inclusion in our Hall of Fame, are decisions taken by SoundCloud in its discretion. Only the first researcher to report a specific qualifying issue is eligible for a reward and/or inclusion in our Hall of Fame, and we reserve the right to cancel this program at any time without notice.

Hall of Fame

On behalf of our millions of users, we would like to give a shout-out here on our Hall of Fame to all security researchers that have helped us keep SoundCloud safe by reporting a security vulnerability to us responsibly - we really appreciate it!

  • Michael Cowell (compl3x)<
  • joernchen of Phenoelit
  • Egor Homakov
  • Mariano Di Martino
  • M.R.Vignesh Kumar (@vigneshkumarmr)
  • Atulkumar Hariba Shedage
  • Ajay Singh Negi
  • Thamatam Deepak
  • Mohamed Ramadan
  • Yuji Kosuga
  • Kamil Sevi (@kamilsevi)
  • Emanuel Bronshtein
  • Adam Ziaja
  • Rafay Baloch (@rafaybaloch)
  • Frans Rosén (@detectify)
  • Nils Jünemann
  • Maxim Rupp
  • Abhinav Karnawat \/ w4rri0r \/
  • Mathias Karlsson (@detectify)
  • Saqib Kamran (@saqibkamran)
  • Jaime Manteiga
  • Riyaz Walikar
  • Muhammad Waqar (@MuhammadWaqar_9)
  • Ehraz Ahmed (@securityexe)
  • Veli-Pekka Vainio (@veeeeep)
  • Jatinpreet Singh (@SillyGeek)
  • Sasi Levi (@sasi2103)
  • Tejash Patel (@tejash1991)
  • Ankit Bharathan
  • Javid Hussain (@javidhussain21)
  • Anand Prakash (@sehacure)
  • Abdelhamid Aboulouafa (@_ham1d)
  • Ashar Javed (@soaj1664ashar)
  • Denis Kolegov (@dnkolegov)
  • Masato Kinugawa
  • Luis Felipe Teixeira (@vergl4s)
  • Siddhesh Gawde (pen3t3r)
  • Ali Hasan Ghauri (@alihasanghauri)
  • J. M. Gazzlay (@gazly)
  • Tom Van Goethem (@tomvangoethem)
  • Mathias Bynens (@mathias)
  • Umer Shakil (@umer_djzz)
  • Rafael Pablos
  • Nakul Mohan (@Nakul_Mohan_Cia)
  • Simone Memoli (@Simon90_Italy)
  • Ketan Sirigiri ((@Cigniti)
  • Garry Bacalso
  • Hammad Shamsi
  • Max Prietzel
  • Waleed Ezz Eldin (WIBF)
  • Dennis Baaten (@dennisbaaten)
  • Momen Basel (@momenbassel)
  • Abdul Haq Khokhar (@abdulhaqkhokhar)
  • Mazen Gamal Mesbah (@MazenGamal)
  • Evan Ricafort (@evanricafort)
  • Mohammed Fayez Albanna
  • Mohamed Abdelbaset Elnoby (@SymbianSyMoh)
  • Hamid Ashraf (@hamihax)
  • Saurabh Gandhi (Sam Gandhi)
  • Paulos Yibelo
  • Jonathan Metzman
  • Achanta Varun Chowdary (@varunmuna53)
  • Yash Pandya (@eryash9_yash)
  • Abdul Rehman (@Abdul_R3hman)
  • Abhibandu Kafle (@kabhi_kav)
  • Shahmeer Amir (@Shahmeer_Amir)
  • Zeyad Khaled Mohamed (@zeyadk99)
  • Jeroen Blevi (@triponoid)
  • Victor Hylejam Flores Olivares (@victorhylejam)
  • Ahmed Y. Elmogy (@mogyhacker)
  • Ahmed Mehtab (@ahmedmehtabPK)
  • Koutrouss Naddara (@KoutroussNaddar)
  • Haider Kamal (@haiderkamal122)
  • Tony Trummer
  • Sergey Bobrov (@Black2Fan)
  • Dhaval Chauhan (@17haval)
  • Ashutosh Kumar (@ccfisinfo)
  • Ashish Pathak (@pathakbackz)
  • C Vishnu Vardhan Reddy (@Vishnu_dfx)
  • Callum Carney
  • Ahmed Adel Abdelfattah (@00SystemError00)
  • Rui Silva (@ruisilva2015)

​If you have previously disclosed a security issue in accordance with this policy and believe your name is missing from this list, please email us at whitehat@soundcloud.com.