At Spreaker, we take security very seriously and we believe that all help matters to promptly discover and address bugs and security issues. If you believe you've found a security issue within our service, we're happy to work with you to resolve that issue and ensure you are compensated for your discovery.
Services in Scope
All these services are NOT in scope because they are managed by third-party vendors:
Any other *.spreaker.com web services are intended to be in scope.
Any design or implementation issue that substantially affects the confidentiality or integrity of user data (except when done yourself) is likely to be in scope. This includes:
Cross-site request forgery
Authentication or authorization flaws
Server-side code execution bugs
Already reported vulnerability: vulnerabilities already reported by you or other researchers, yet still open. Two vulnerabilities are equal if the same attack vector is reported for 2+ web services / website pages
Do-it-yourself XSS: vulnerabilities that affect only your account, not exploitable to attack other users
Bad practices without a POC: known bad practices, without real proof that they can be used as an attack vector to conduct an attack on Spreaker
URL redirections: we consider only URL redirections with a practical attack
Bugs requiring exceedingly unlikely user interaction: for example, the user is required to manually insert a XSS code into a field
Flaws affecting the users of out-of-date browsers: supported browsers: Edge, Chrome, Firefox, Opera, Safari (latest versions)
DoS / DDoS attacks
Brute force attacks
Responsible Disclosure Policy
As long as you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.
Automated testing is NOT Permitted
Using automated tests will automatically disqualify you from all bug bounties and will result in account termination.
Rewards for qualifying bugs range from $100 to $1,000, sent to your PayPal account. The following table outlines the usual rewards given for the most common classes of bugs:
up to 100$: vulnerabilities that compromise third party user data (ie. you can edit a 3rd party user profile data)
up to 500$: vulnerabilities that globally compromise user accounts (ie. you can authenticate as any 3rd party user, you can delete any 3rd party account, you can change the email or password of any 3rd party account, ...)
up to 1000$: vulnerabilities that compromise Spreaker’s private data and servers (ie. you can access the source code, query the database, get remote access to server, etc)
IMPORTANT: rewards payments are sent only via PayPal. We do not make exceptions.
How to report an issue
If you discover any vulnerabilities, please send an email containing a working proof-of-concept at firstname.lastname@example.org.