New program follows a year-long private VDP
Music-sharing site Audiomack is launching a public bug bounty program to encourage security researchers to share information on suspected vulnerabilities.
The artist-focused music streaming service is working with Bugcrowd to run its new vulnerability disclosure program (VDP).
Previously, Audiomack had run a private VDP, also with Bugcrowd, for around a year.
The music service is now opening this up to all security researchers and will offer what it describes as competitive rewards.
Audiomack does not, though, state a maximum bounty.
According to Sean Coker, director of engineering at Audiomack, the existing VDP has helped the music service to triage and validate potential vulnerabilities, allowing its in-house engineers to focus on deploying fixes.
Moving to a public platform allows Audiomack access to a wider range of testing skills, and “find and fix critical security gaps before they can be exploited”, Coker said.
The VDP will not cover security flaws related to third-party vendors, brute-force attacks, or attempts to use social engineering to gain access to Audiomack systems.
Bugcrowd claims that the number of critical and high-severity vulnerabilities found by researchers on its platform grew by 73% from 2019 to 2020.