At Spreaker, we take security very seriously and we believe that all help matters to promptly discover and address bugs and security issues. If you believe you've found a security issue within our service, we're happy to work with you to resolve that issue and ensure you are compensated for your discovery.

Services in Scope

All these services are NOT in scope because they are managed by third-party vendors:







Also third-party plugins / inclusions / websites are excluded (eg: javascript included by a third-party).

Any other * web services are intended to be in scope.

Qualifying Vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of user data (except when done yourself) is likely to be in scope. This includes:

  • Cross-site scripting

  • Cross-site request forgery

  • Mixed-content scripts

  • Authentication or authorization flaws

  • Server-side code execution bugs

  • Server-side penetration

Non-Qualifying Vulnerabilities

  • Already reported vulnerability: vulnerabilities already reported by you or other researchers, yet still open. Two vulnerabilities are equal if the same attack vector is reported for 2+ web services / website pages

  • Do-it-yourself XSS: vulnerabilities that affect only your account, not exploitable to attack other users

  • Bad practices without a POC: known bad practices, without real proof that they can be used as an attack vector to conduct an attack on Spreaker

  • URL redirections: we consider only URL redirections with a practical attack

  • Bugs requiring exceedingly unlikely user interaction: for example, the user is required to manually insert a XSS code into a field

  • Flaws affecting the users of out-of-date browsers: supported browsers: Edge, Chrome, Firefox, Opera, Safari (latest versions)

  • DoS / DDoS attacks

  • Brute force attacks

  • Man-In-The-Middle attacks

Responsible Disclosure Policy

As long as you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.

Automated testing is NOT Permitted

Using automated tests will automatically disqualify you from all bug bounties and will result in account termination.

Reward Amounts

Rewards for qualifying bugs range from $100 to $1,000, sent to your PayPal account. The following table outlines the usual rewards given for the most common classes of bugs:

  • up to 100$: vulnerabilities that compromise third party user data (ie. you can edit a 3rd party user profile data)

  • up to 500$: vulnerabilities that globally compromise user accounts (ie. you can authenticate as any 3rd party user, you can delete any 3rd party account, you can change the email or password of any 3rd party account, ...)

  • up to 1000$: vulnerabilities that compromise Spreaker’s private data and servers (ie. you can access the source code, query the database, get remote access to server, etc)

IMPORTANT: rewards payments are sent only via PayPal. We do not make exceptions.

How to report an issue

If you discover any vulnerabilities, please send an email containing a working proof-of-concept at

Did this answer your question?