Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.
Want to learn more? We've broken it down into six frequently asked questions.
1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.
2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.
In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.
3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.
4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.
One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.
5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.
6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.
So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
Most recent headlines
05/01/2027
Worlds first 802.15.4ab-UWB chip verified by Calterah and Rohde & Schwarz to be ...
01/06/2026
January 6 2026, 05:30 (PST) Dolby Sets the New Standard for Premium Entertainment at CES 2026
Throughout the week, Dolby brings to life the latest innovatio...
02/05/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
01/05/2026
January 5 2026, 18:30 (PST) NBCUniversal's Peacock to Be First Streamer to ...
01/04/2026
January 4 2026, 18:00 (PST) DOLBY AND DOUYIN EMPOWER THE NEXT GENERATON OF CREATORS WITH DOLBY VISION
Douyin Users Can Now Create And Share Videos With Stun...
19/03/2026
Share
Copy link
Facebook
X
Linkedin
Bluesky
Email...
19/03/2026
Share
Copy link
Facebook
X
Linkedin
Bluesky
Email...
19/03/2026
Share
Copy link
Facebook
X
Linkedin
Bluesky
Email...
19/03/2026
Share
Copy link
Facebook
X
Linkedin
Bluesky
Email...
19/03/2026
Share
Copy link
Facebook
X
Linkedin
Bluesky
Email...
19/03/2026
Share
Copy link
Facebook
X
Linkedin
Bluesky
Email...
19/03/2026
How Chris Bolte Builds the Sound of PlayStation Games Chris Bolte '16 is a technical sound designer at Sucker Punch Productions, where he helps create the...
19/03/2026
Other Voices presents a legendary night of music as Foo Fighters bring their stadium anthems to St James' Church, An Daingean. The surprise performance teas...
19/03/2026
***Issued by RT on behalf of RTS Ireland Awards / Gradaim RTS 2026...
19/03/2026
It's a double feature on GFN Thursday. This week, GeForce NOW offers smoother sights in virtual reality (VR) and a sprawling new land to conquer.
Streaming...
18/03/2026
Newly named chief product officer (CPO), Larissa G rner Meeus will return to Net Insight on May 4.
Larissa G rner Meeus will become CPO of Net Insight on May 4...
18/03/2026
SVG Europe's The Football Summit 2026 explored how the sports broadcasting i...
18/03/2026
The 2026 NAB Show kicks off one month from today and SVG is once again set to cover the show from every angle. SVG's SportsTech@NAB Show Blog is now live - ...
18/03/2026
(L-R) The cast and crew of Dead Lover at The Ray Theater for its premiere at the 2025 Sundance Film Festival. (Photo by Robin Marshall/Shutterstock for Sundan...
18/03/2026
Yamaha C7 captured in Nashville
Wiltone Productions have announced the release of Music Row Piano, a deeply sampled Yamaha C7 piano library that's been ...
18/03/2026
Bass-enhancement plug-in upgraded
Along with a steady stream of new releases, Techivation have recently been revisiting some of the older plug-ins in their ...
18/03/2026
Mix-reference plug-in overhauled
iZotope's powerful mix-referencing plug-in has just reached its third major version, and now boasts a new capture proce...
18/03/2026
Latest EZKeys 2 expansion arrives
Toontrack's staggering collection of EZKeys 2 expansions has grown once again, and the latest instalment delivers a on...
18/03/2026
Jess Ho explores the politics of food in new SBS Audio podcast For The Culture
18 March, 2026
Media releases
New SBS Audio podcast For The Culture, hosted ...
18/03/2026
Future-ready broadcasts with ATSC 3.0 and enhanced services from Rohde & Schwarz...
18/03/2026
London Calling - When The Industry Convened to Help Streaming Find its MoJo In this blog, Laura Rognoni reflects on key discussions from the Connected TV World...
18/03/2026
SMPTE Unveils 2026 NAB Show Educational Presentations
Brie Clayton March 18, 2026
0 Comments
SMPTE , the home of media professionals, technologists, a...
18/03/2026
Auditel Ad Campaign Shot on Blackmagic PYXIS 12K
Brie Clayton March 18, 2026
0 Comments
LED wall virtual production blends 12K open gate acquisition w...
18/03/2026
Brainstorm transforms productivity and sustainability with Suite 7 at NAB Show 2...
18/03/2026
Share
Copy link
Facebook
X
Linkedin
Bluesky
Email...
18/03/2026
Share
Copy link
Facebook
X
Linkedin
Bluesky
Email...
18/03/2026
Share
Copy link
Facebook
X
Linkedin
Bluesky
Email...
18/03/2026
Share
Copy link
Facebook
X
Linkedin
Bluesky
Email...
18/03/2026
Share
Copy link
Facebook
X
Linkedin
Bluesky
Email...
18/03/2026
Share
Copy link
Facebook
X
Linkedin
Bluesky
Email...
18/03/2026
SMPTE , the home of media professionals, technologists, and engineers, today unveiled its educational presentations for the 2026 NAB Show. This year SMPTE will ...
18/03/2026
Maxon, maker of powerful, approachable software solutions for creators working in 2D and 3D design, motion graphics, visual effects, gaming, and more, today ann...
18/03/2026
Digital Alert Systems
Preview
2026 NAB Show
April 19 - 22
Booth C3452
At the 2026 NAB Show, Digital Alert Systems will showcase Version 6.0 of its DASDEC ...
18/03/2026
Setplex today announced that it will showcase its complete, fully integrated Zapflex platform for the first time at the 2026 NAB Show, introducing powerful new ...
18/03/2026
THIS ANNOUNCEMENT RELATES TO THE DISCLOSURE OF INFORMATION THAT QUALIFIED OR MAY HAVE QUALIFIED AS INSIDE INFORMATION WITHIN THE MEANING OF ARTICLE 7(1) OF THE ...
18/03/2026
COW Jobs: Seeking DP for Low Budget Dramedy - Chicago
Brie Clayton March 17, 2026
0 Comments
Seeking Director of Photography for Low Budget Dramedy Fe...
18/03/2026
COW Jobs: Seeking Gaffer for Low Budget Dramedy - Chicago
Brie Clayton March 17, 2026
0 Comments
Seeking Gaffer for Low Budget Dramedy Feature Film- I...
18/03/2026
COW Jobs: Seeking Location, Sound for Low Budget Dramedy - Chicago
Brie Clayton March 17, 2026
0 Comments
Seeking Location/Sound for Low Budget Dramed...
18/03/2026
COW Jobs: Seeking Child Wrangler for Low Budget Film - Chicago
Brie Clayton March 17, 2026
0 Comments
Seeking Child Wrangler for Low Budget Dramedy Fe...
18/03/2026
Calrec Redefines Broadcast Workflows at NAB 2026 with its Most Powerful Hardware...
18/03/2026
Oscar Nominated Two People Exchanging Saliva Posted with DaVinci Resolve Studio
Brie Clayton March 17, 2026
0 Comments
DaVinci Resolve Studio handle...
18/03/2026
Boston Conservatory Presents Celebrated Musical Satire Urinetown Performances for this Center Stage production will take place at Boston Conservatory Theater ...
18/03/2026
Charlie Puth Joins Switched on Pop at Berklee NYC The Berklee alum spoke with host and Berklee NYC professor Charlie Harding for a live taping, answering audi...
18/03/2026
X-Rite Pantone Demonstrates Advanced Color Management Solutions to Support Smart...
Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
