AudiusAudius

Security

Security is vital to Audius' mission. We work hard to ensure that data is always safe. Our Privacy policy and Terms of Use describe our data-use practices, and we encourage third-parties to explore our Codebases and respectfully disclose vulnerabilities & issues.

Bug Bounty Policy

We generally adhere to HackerOne's disclosure guidelines.

Disclosure process

  1. Safely disclose issue and applicable proof-of-concept or steps for reproduction to security@audius.co
  2. We determine severity of issue together, following informal CVSS guidelines (example), producing classification (low, medium, high, critical)
  3. Bounty is paid out
  4. Fix is produced, rolled out, and reporter can disclose issue publicly
  5. We produce & publish documentation of issue

Bounty

  • "Critical" - $5,000
  • "High" - $2,000
  • "Medium" - $500
  • "Low" - $0 - $100

Not eligible for reward

  • Third-party applications that use Audius APIs
  • XSS requiring legacy browsers
  • Self-XSS
  • SSL/TLS best practices
  • Missing HTTP header which does not lead to a direct vulnerability
  • Missing cookie flags, unless the absence can be abused by a legitimate workflow
  • Clickjacking without demonstration of impact
  • Account enumeration through brute-force attacks
  • CSV command execution
  • Best practice recommendations with no proof-of-concept
  • Token reuse, password poisoning, or account revocation with regard to the documented security considerations in Hedgehog

Other Concerns

All other security concerns should be directed at security@audius.co.