Responsible Disclosure Policy
At Sprout Social, we take the security of our users' data very seriously. We encourage those who have discovered potential security vulnerabilities in a Sprout Social service to disclose them to us in a responsible manner. This Responsible Disclosure Policy outlines steps for reporting vulnerabilities, what to expect, and what you can expect from us.
Our Commitment to You
For all individuals who report suspected vulnerabilities in alignment with this Responsible Disclosure Policy, Sprout Social promises to:
- Maintain confidentiality with you
- Acknowledge receipt of your report in a timely manner
- Assess validity of the submission and evaluate for severity and impact
- Notify you when the vulnerability is fixed
- Publicly acknowledge your responsible disclosure, if you wish
Scope, Guidelines, and Exclusions
Sprout Social partners with Bugcrowd for our Vulnerability Disclosure Program (“VDP”). The assets in scope can be found under the Scope section of Sprout Social’s Bugcrowd VDP page.
You may only test for security vulnerabilities using an account for which you are the Account Owner or an agent authorized by the Account Owner to conduct such testing.
All testing must be conducted in compliance with this Responsible Disclosure Policy, Sprout Social’s Terms of Service Bugcrowd’s Standard Disclosure Terms, and all applicable laws.
Sprout Social prohibits the following types of research and testing:
- Intentionally accessing, or attempting to access, data that does not belong to you
- Executing, or attempting to execute, a Denial of Service (DoS/DDoS) attack or stress testing the application, systems, or networks
- Sending, or attempting to send, unsolicited or unauthorized email, spam, or other forms of unsolicited messages
- Conducting research through social engineering or other deceptive means (e.g. phishing, vishing, smishing, link manipulation)
- Testing third-party websites, applications, or services that integrate with Sprout Social
- Knowingly posting, transmitting, uploading, linking to, sending or storing any malware, viruses, or similar harmful software
- Conducting any form of security testing or auditing of physical locations including but not limited to Sprout Social offices, data centers, and facilities
- Research conducted by minors, individuals on sanctions lists, or individuals in countries on sanctions lists
- Any activities prohibited by Bugcrowd’s Standard Disclosure Terms
Safe Harbor
Sprout Social reserves all of its legal rights in the event of noncompliance with this Responsible Disclosure Policy, but does not intend to pursue legal action against parties who conduct security research and disclose information to us in good faith, as documented in this Policy.
Submitting Your Vulnerability Report
Please submit all suspected vulnerabilities through our Bugcrowd VDP at https://bugcrowd.com/sproutsocial.
Suspected vulnerabilities that are reported through other means, such as by email, social media, or a bug bounty platform other than Bugcrowd will not be accepted.
In reporting any suspected vulnerabilities, please include adequate information to allow us to reproduce your steps and follow up.
To protect our user’s privacy and security:
- Please do not publicly disclose details about any suspected vulnerabilities that you may have identified without express written consent from Sprout Social.
- Immediately after submitting your report, please delete/destroy any local or cached copies of data you may have accessed or received during your testing.
Rewards/Compensation
You may be eligible for a reward if you are the first person to submit a specific vulnerability, the vulnerability is validated by Sprout Social’s Security Team, and you have complied with all of the terms, rules, and restrictions listed within. The availability of any rewards or compensation is at the sole discretion of Sprout Social and are distributed exclusively through the Bugcrowd platform. Sprout Social makes no guarantee, express or implied, that any rewards or compensation will be offered. For more information, please view our Bugcrowd page at: https://bugcrowd.com/sproutsocial