Details

Smule welcomes working with the security community to resolve security vulnerabilities in order to keep our customers safe! We will make a best effort to respond to incoming reports and keep you informed about our progress toward resolving any issues.

Vulnerability Disclosure

If you have identified a potential security vulnerability in our technology, please submit us a detailed report with reproducible steps.
Follow HackerOne's disclosure guidelines.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Scope

Any production public-facing website owned & operated by Smule. Any application published on the Apple App Store or Google Play Store published by Smule.

Restrictions & Exclusions

The use of automated scanning against the web or API are strictly prohibited and will result in IP bans along with rejection of any findings

The following issues fall outside the scope of our VDP:

No Social engineering attacks (e.g. phishing, vishing, smishing)
No physical attacks of Smule’s office or data centers are permitted
No Denial-of-Service attacks
Brute force attacks
No beta or other pre-production/testing environments
No 3rd party party hosted applications (ex: status pages, customer support systems)
Outdated TLS configurations which remain to support legacy Android
Clickjacking attacks without a documented series of clicks that produce a vulnerability
Email (including SPF/DKIM/DMARC)
Missing HTTP headers, unless a vulnerability can be demonstrated
Assumed vulnerabilities based upon version numbers only
Insecure cookie settings for non-sensitive cookies
Bugs requiring exceedingly unlikely user interaction
Smule reserves the right to make the final decision on the classification of all vulnerability reports. We may mark reports as duplicate, non-applicable or otherwise, at our own discretion.

Rewards

We do not offer a bug bounty at this time, but certain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for a bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.

Vulnerability Disclosure

If you have identified a potential security vulnerability in our technology, please submit us a detailed report with reproducible steps.

Follow HackerOne's disclosure guidelines.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Restrictions & Exclusions

The use of automated scanning against the web or API are strictly prohibited and will result in IP bans along with rejection of any findings

The following issues fall outside the scope of our VDP:

No Social engineering attacks (e.g. phishing, vishing, smishing)

No physical attacks of Smule’s office or data centers are permitted

No Denial-of-Service attacks

Brute force attacks

No beta or other pre-production/testing environments

No 3rd party party hosted applications (ex: status pages, customer support systems)

Outdated TLS configurations which remain to support legacy Android

Clickjacking attacks without a documented series of clicks that produce a vulnerability

Email (including SPF/DKIM/DMARC)

Missing HTTP headers, unless a vulnerability can be demonstrated

Assumed vulnerabilities based upon version numbers only

Insecure cookie settings for non-sensitive cookies

Bugs requiring exceedingly unlikely user interaction

Smule reserves the right to make the final decision on the classification of all vulnerability reports. We may mark reports as duplicate, non-applicable or otherwise, at our own discretion.

Rewards

We do not offer a bug bounty at this time, but certain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for a bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.