Phosphorescence hopes to be as secure as possible. However, if a security vulnerability is noted, please do not file a GitHub issue. Instead, contact us directly at [email protected].
One attack vector of particular note is our script execution engine. We have taken care to make sure custom script execution is heavily sandboxed. However, we understand that testing this sandboxing is imperative, as long as it is done without malicious intent.
In order to ensure the security of our users, anyone attempting to find security flaws for disclosure to the Phosphorescence team must do so in a responsible fashion which includes not making exploitative or potentially exploitative scripts public or otherwise marketed for public consumption. Doing so will be taken in bad faith and likely result in your account being suspended and potentially reported as necessary.
Conversely, if you would like to pre-emptively acknowledge your interest in testing the security of the engine, you may email us at [email protected] from the email address associated with your Spotify account. Make sure you include a link to your Spotify profile so we can cross-reference your Spotify ID to your Phosphorescence ID and to the Spotify-linked email you are writing from. This way, we will have a heads up about your intentions.
As an alternative to the above, you may run a local instance of Phosphorescence and test from there.
Please note that the above is in no way an invitation to attack the site, site owners, or users. We will not tolerate any form of penetration testing that has an actual effect on our data, servers, bandwidth, etc. The above is only with regards to demonstrating weaknesses in the client-side execution sandboxing and only in the capacity that the demonstration has no actual harmful effects.