Taking Our Bug Bounty Program Public

We’re excited to announce the launch of our public bug bounty program with Bugcrowd — the #1 crowdsourced security platform. This public program is open to Bugcrowd’s full crowd of top, trusted whitehat hackers, and we will award up to $1,500 per vulnerability identified on our website, API, and mobile apps.

Security is a top priority at SoundCloud, and we’re committed to keeping the community and its content safe. And, as a leading audio streaming platform, we’re prepared to handle an extremely unique set of security issues. These span from processing, transcoding, and formatting user-generated content without risking remote code executions, to detecting and blocking malware distribution and preventing illegitimate downloads and streaming access. Additionally, since the platform offers a highly social streaming experience with user-generated content and integration, we have to be mindful of potential XSS and CSRF attacks.

As part of our commitment to our users, we’re focused on building state-of-the-art security monitoring and protection solutions for our platform. In order to balance that focus with the team’s operational work, we’re always looking for ways to improve our efficiency. And one of those ways is to have additional support for handling top-of-funnel security work for vulnerability reports. Examples of this work include triaging, reproducing, prioritizing, and resolving duplicates.

This is where Bugcrowd comes in. Bugcrowd’s community-driven vulnerability testing is a key tool for us to receive external testing on our services and platform, along with explicit pentesting by security agencies and our various internal automated tests and peer reviews. With Bugcrowd, the quantity and quality of vulnerability reports is higher than ever before. Many of Bugcrowd’s security testers follow the same news and read the same forums as malicious users, so they help us react to new attack vectors much faster.

Since using Bugcrowd, we’ve seen several benefits, including:

  • A significantly lowered barrier to reporting security vulnerabilities and increased quality in security vulnerability reports
  • Additional dedicated time to focus on building services specific to our needs
  • Having a known platform with clear processes, taxonomy, and rules that attracts more professional researchers with more expertise
  • Increased confidence that critical issues are continuously being probed, identified, and addressed

We’re excited to take this next step in our crowdsourced security journey: making our bug bounty program public. To engage in our program, take a look at our program brief: https://bugcrowd.com/soundcloud.