This blog post is authored by Tobias Schmidt, Security Engineer, SoundCloud.

SoundCloud is excited to announce the launch of its public bug bounty program with Bugcrowd — the #1 crowdsourced security platform. SoundCloud’s public program is open to Bugcrowd’s full Crowd of top, trusted whitehat hackers, and the company will award up to  $1,500 per vulnerability identified on its website, API and mobile apps.

SoundCloud is the world’s largest open audio platform, powered by a connected community of creators, listeners, and curators on the pulse of what’s new, now, and next in culture. SoundCloud is home to the largest catalog in the world, with more than 200 million tracks from over 20 million creators.

Security is a top priority at SoundCloud, and we’re committed to keeping the community and its content safe. And, as a leading audio streaming platform, we’re prepared to handle an extremely unique set of security issues. These span from processing, transcoding, and formatting user-generated content without risking remote code executions, to detecting and blocking malware distribution, preventing illegitimate downloads and streaming accessibility. Additionally, since the platform offers a highly social streaming experience with user-generated content and integration, we have to be mindful of potential XSS and CSRF attacks.  

As part of our commitment to our users, we’re focused on building state-of-the-art security monitoring and protection solutions for our platform. In order to balance that focus with the team’s operational work, we’re always looking at ways to improve our efficiency. And one of those ways is to have additional support for handling top-of-funnel security work for vulnerability reports. Examples of this work include triaging, reproducing, prioritizing, and resolving duplicates.

This is where Bugcrowd comes in. Bugcrowd’s community-driven vulnerability testing is a key tool for us to receive external testing on our services and platform, along with explicit pentesting by security agencies and our various internal automated tests and peer reviews. With Bugcrowd, the quantity and quality of vulnerability reports is higher than ever before. Many of Bugcrowd’s security testers follow the same news and read the same forums as malicious users, so they help us react to new attack vectors much faster.

Since using Bugcrowd, we’ve seen several benefits, including:

  • A significantly lowered barrier to reporting security vulnerabilities and increased quality in security vulnerability reports
  • Additional dedicated time to focus on building services specific to our needs
  • Having a known platform with clear processes, taxonomy, and rules that attract more professional researchers with more expertise
  • Increased confidence that critical issues are continuously being probed, identified, and addressed

We’re excited to take this next step in our crowdsourced security journey, taking our bug bounty program public. To engage in our program, take a look at our program brief: https://bugcrowd.com/soundcloud