Responsible Disclosure Policy
At Sprout Social™, we take the security of our users’ data very seriously. We encourage those who have discovered potential security vulnerabilities in a Sprout Social™ service to disclose it to us in a responsible manner.
We will work with security researchers to validate and respond to vulnerabilities that are reported to us. If you discover a security vulnerability and report in accordance with this Responsible Disclosure Policy, we will not take legal action or terminate your account access. Sprout Social reserves all of its legal rights in the event of any noncompliance.
Testing for Security Vulnerabilities
You may only test against an account for which you are the account owner or an agent authorized by the account owner to conduct such testing.
Sprout Social™ Prohibits the Following Types of Research:
- Accessing, or attempting to access, data that does not belong to you
- Executing, or attempting to execute, a denial of service attack
- Sending, or attempting to send, unsolicited or unauthorized email, spam or other forms of unsolicited messages
- Testing third party websites, applications or services that integrate with Sprout Social™
- Knowingly posting, transmitting, uploading, linking to, sending or storing any malware, viruses or similar harmful software
- Research conducted by minors, individuals on sanctions lists or individuals in countries on sanctions lists
Reporting Potential Vulnerabilities
Please share the details of any suspected vulnerabilities with the Sprout Social Security Team by submitting a report through our Bugcrowd Program. If your report is outside the scope of our Bugcrowd program, please send an email to security@sproutsocial.com.
Please do not publicly disclose these details without express written consent from Sprout Social™. In reporting any suspected vulnerabilities, please include adequate information to allow us to reproduce your steps and follow up.
No Compensation
Sprout Social™ does not compensate individuals or organizations for identifying potential or confirmed vulnerabilities. Requests for monetary compensation will be deemed in violation of this Responsible Disclosure Policy.
Sprout Social’s Commitment
To all security researchers who follow this Responsible Disclosure Policy, Sprout Social™ promises to:
- Acknowledge receipt of your report in a timely manner
- Provide an estimated time frame for addressing the vulnerability
- Notify you when the vulnerability is fixed
- Publicly acknowledge your responsible disclosure, if you wish
Thanks!
Sprout Social™ thanks the following individuals and organizations that have participated in our responsible disclosure program.
- Muhammad Waqar – @MuhammadWaqar_9
- Rafay Baloch – @rafaybaloch
- Saqib Kamran – @saqibkamran
- Tom Van Goethem – @tomvangoethem
- Kamil Sevi – @kamilsevi
- Francisco Correa – @panchocosil
- Vedachala – @vedachalaka
- Himanshu Sharma
- Jay Turla – @shipcod3
- Mahadev Subedi – @blinkms
- Nikhalesh Singh Bhadoria – @nikhaleshsingh
- Ajay Singh Negi – @AjaySinghNegi
- Team Defencely – @Defencely
- Jigar @ Infobit – @jigarthakkar39
- Frans Rosén – @detectify
- Shahee Mirza – @shaheemirza
- Sunil Dadhich – @Sunil_Dadhich7
- Issam Rabhi – @IssRabhi
- Krutarth Shukla – @KrutarthShukla
- Javid Hussain – @javidhussain21
- Siddhesh Gawde – @pen3t3r
- Nitesh Shilpkar
- Denis Kolegov – @dnkolegov
- Ravindra Singh Rathore – @ravindra_hacks
- Vinesh N. Redkar – @b0rn2pwn
- Devesh Bhatt – @deveshbhatt11
- Sebastian Neef – @internetwache
- Muhammad Shahmeer (Maads-Security) – @Shahmeer_Amir
- Rishiraj Sharma – @ehrishiraj
- Florin – @QuisterTow
- J Muhammed Gazzaly – @gazly
- Jose Pino – @Fr4phc0r3
- Mayank Kapoor – @wHys0SerI0s
- Gurjant Singh – @GurjantSadhra
- Sujoy Chakravarti – @sujoy3188
- Divakar – @kd.divakar
- Ketan Sirigiri – @cigniti
- Nates Mom – @nateturnersmom
- Daniel Alvear – @Mazt0r
- Gineesh George – @g1n1_influenza
- Evan Ricafort – @robinhood0x00
- Tony Trummer
- Paul Biteng – @PaulBits
- Ali Hassan Ghori – @alihasanghauri
- Blessen Thomas – @pentagramz
- Lyon Yang – @l0Op3r
- Ahmed El-Mahalawy – @A7medElMa7alawy
- Vincent Tan – @vincent_tky
- Kiran Karnad – @ipentest
- Mohammed Fayez Albanna – @bana2313
- Mahadev Subedi – @blinkms
- Prashant Padmashali – @prashantpadmashali
- Sarwar Jahan M – @sarwarjahanm
- SaifAllah benMassaoud – @benmassaou
- Jayesh Patel – @jayeshpatel20
- Pradipta Das – https://linkedin.com/in/pradiptad4s/
- Ismail Tasdelen – https://www.linkedin.com/in/ismailtasdelen/
- Anikesh lokhande – @LokhandeAnikesh
- Ratnadip Gajbhiye – @ratnadip1998
- Shubham Deshpande – @ShubhamDeksto
- Shoeb Patel – @0xCaptainFreak
- Prabhjot Dunglay – https://www.linkedin.com/in/prabhjotdunglay
- Sahil Kataria – @sahilkataria200
- Pritam Mukherjee – https://www.linkedin.com/in/pritam-mukherjee-urvil-b75ab9b9/
- Fika Februarinto – https://twitter.com/sec715