Vulnerabilities Reward Policy

Services in scope

Any *.spreaker.com web service is intended to be in scope. On the flip side, third-party plugins / inclusions / websites are excluded (ie. javascript included by a third-party).

Qualifying vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of user data (except when done yourself) is likely to be in scope. This includes:

  • Cross-site scripting
  • Cross-site request forgery
  • Mixed-content scripts
  • Authentication or authorization flaws
  • Server-side code execution bugs
  • Server-side penetration

Non-qualifying vulnerabilities

  • Already reported vulnerability
    Vulnerabilities already reported by you or other researchers, yet still open. Two vulnerabilities are equal if the same attack vector is reported for 2+ web services / website pages
  • Do-it-yourself XSS
    Vulnerabilities that affect only your account, not exploitable to attack other users
  • Bad practices without a POC
    Known bad practices, without real proof that they can be used as an attack vector to conduct an attack on Spreaker
  • URL redirections
    We consider only URL redirections with a practical attack
  • Bugs requiring exceedingly unlikely user interaction
    For example, the user is required to manually insert a XSS code into a field
  • Flaws affecting the users of out-of-date browsers
    Supported browsers: IE9+, Chrome, Firefox, Opera, Safari (latest versions)
  • DoS / DDoS attacks
  • Brute force attacks
  • Man-In-The-Middle attacks

Responsible Disclosure Policy

If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.

Automated testing is not permitted

Using automated tests will automatically disqualify you from all bug bounties and will result in account termination.

Reward amounts

Rewards for qualifying bugs range from $100 to $1,000, sent to your PayPal account. The following table outlines the usual rewards given for the most common classes of bugs:

up to 100$ Vulnerabilities that compromise third party user data (ie. you can edit a 3rd party user profile data)
up to 500$ Vulnerabilities that globally compromise user accounts (ie. you can authenticate as any 3rd party user, you can delete any 3rd party account, you can change the email or password of any 3rd party account, ...)
up to 1000$ Vulnerabilities that compromise Spreaker’s private data and servers (ie. you can access the source code, query the database, get a shell on a server, ...)

 

IMPORTANT: rewards payments are sent only via PayPal. We do not make exceptions.

How to report an issue

If you discover any vulnerabilities, please send an email containing a working proof-of-concept at security@spreaker.com.

Copyright 2016 - Spreaker Inc. - Create a podcast - San Francisco, CA
Help