SourceAudio Security

General

We take your data security seriously at SourceAudio and all your communication with our servers is fully encrypted.

If you feel your account or your data may have been compromised or you have any questions about our security procedures, please contact us any time at support@sourceaudio.com.

Bug Bounty Program

Scope

We operate a series of white label websites, any of which you can report vulnerabilities on. Our “site manager”, accessible at https://account.sourceaudio.com/, is itself a target or you can use it to create an account and make your own white label site for reporting.

We also have several marketing websites running WordPress that you can report on:

• https://www.sourceaudio.com
• https://www.claimfreemusic.com
• https://www.alphalibraries.com
• https://www.podcastmusic.com

Guidelines

We sincerely appreciate your help and happily offer bounties on confirmed vulnerabilities.

1. Bugs must occur in one of the two most recent versions of a major browser (Chrome, Safari, Firefox, Mobile Chrome, Mobile Safari, or Edge - not Internet Explorer).
2. You are the original discoverer of the bug and the first person to report it to us.
3. You give us a reasonable amount of time to respond to and resolve the issue before reporting it elsewhere or to the public.
4. You are not a minor and are legally allowed to report issues and be paid by a company in the United States.
5. Reports on out of date software will only be accepted after 60 days have passed since an update was released.
6. Only one report of a specific issue will be accepted, even if multiple in scope targets are vulnerable, i.e., please don’t send separate reports that each marketing site has the same problem.
7. Please test with your own account and site and do not attempt to compromise other customers’ data.
8. Please submit any discoveries as plain text with (optional) images or mp4 videos. We will not open attached document files.
9. We reserve the sole right to determine on which issues are paid and how much or to modify or cancel this policy at any time. We do appreciate you though and we’ll try to be fair.

Non-payables

The following items are frequently reported but are working as intended and will not be paid on.

1. Capacity or Denial of Service attacks will never be paid for.
2. User enumeration by forgot password. We are aware this is technically possible but it is heavily rate limited to make it realistically infeasible.
3. We are happy with our referrer policy and permissions policy configurations and we will not pay for reports about them.
4. We are aware CSV injection is possible but we do not pay for reports on it.
5. Disputed or “Won’t fix” OpenSSH vulnerabilities, such as CVE-2016-20012, CVE-2020-15778, CVE-2020-14145, CVE-2023-51767
6. User credentials in data leaks that did not originate from SourceAudio directly.

Issues requiring additional evidence

1. Clickjacking, reverse clickjacking, X-Frame-Options/CSP issues. Reports concerning these vulnerabilities need working video proof to be considered. Please do not just send us a screenshot of Burp Suite.
2. Password resets or email changes not closing other sessions. Reports concerning this issue need a video of the behavior, including confirming the change and reloading the secondary browser afterwards, to be considered.

Payments

• We’re a small company but we typically pay $200 for most reported vulnerabilities and $400 for exceptionally critical ones, once we’ve had a chance to investigate and verify them.
• We reserve the right to award more or less, depending on the severity of the issue.
• We prefer to use PayPal for payments but if you need something else specific, please let us know, ideally before you begin reporting.
• We will not pay using Crypto.
• Wire transfers have a minimum of $1,000.
• Please make sure you have a way to be paid legally from the United States. We will not attempt to bypass sanctions to complete payments.
• All tax and legal consequences of payments are entirely your responsibility.
• Before we can pay you, we need certain US tax forms on file. When you report your first bug, please let us know if you would like to be paid as an individual or as a business and we will get you the appropriate form. It should not take long to fill out.

Reporting a Vulnerability

Please submit your findings to security@sourceaudio.com and include a summary of the issue and a proof-of-concept or reproduction steps. We’ll do our best to get back to you quickly but please be patient if it takes a couple days to get a response.