Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.
Want to learn more? We've broken it down into six frequently asked questions.
1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.
2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.
In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.
3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.
4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.
One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.
5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.
6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.
So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
Europe Stories
05/01/2027
Worlds first 802.15.4ab-UWB chip verified by Calterah and Rohde & Schwarz to be ...
01/06/2026
January 6 2026, 05:30 (PST) Dolby Sets the New Standard for Premium Entertainment at CES 2026
Throughout the week, Dolby brings to life the latest innovatio...
02/05/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
01/05/2026
January 5 2026, 18:30 (PST) NBCUniversal's Peacock to Be First Streamer to ...
01/04/2026
January 4 2026, 18:00 (PST) DOLBY AND DOUYIN EMPOWER THE NEXT GENERATON OF CREATORS WITH DOLBY VISION
Douyin Users Can Now Create And Share Videos With Stun...
06/03/2026
Ten years after its release, South African hip-hop artist Kwesta's DaKAR II is still making waves. With 51.8 million streams on Spotify, the album continues...
06/03/2026
06 Mar 2026
VEON and JazzWorld Advance Pakistan's Digital Financial Future ...
06/03/2026
Friday 6 March 2026
Teaser revealed for Saturday Night Live UKTurn on cookies to view this content. Go to Privacy options and select Accept All'.
Privacy...
06/03/2026
Discover how the F1 sound team turned a real Grand Prix into a cinematic experience.
Director Joseph Kosinski and his team worked directly with the Formula On...
06/03/2026
Arvato Systems Joins Initiative D21 e. V.
Shaping digital transformation together
Collaboration in Germanys largest network for the digital society
Membersh...
06/03/2026
The Trustworthy Accountability Group (TAG) is a global initiative dedicated to c...
06/03/2026
We are deeply saddened to hear the very sad news of the death of our friend and colleague, John McHugh. John was an exceptionally talented creative leader who s...
06/03/2026
First exclusive look at RT 's promo as Ireland prepare to take on Czechia
Every Moment, Every Generation
https://youtu.be/2ijo96EadLU
36 years after Geor...
05/03/2026
A little over a year ago, Spotify introduced the quarterly Creator Milestone Awa...
05/03/2026
Rohde & Schwarz enables rapid validation of next-gen Wi-Fi 8 networking platform...
05/03/2026
Rohde & Schwarz acquires Software Radio Systems (SRS), specialists in software d...
05/03/2026
Celebrating 21 Years of the RT Choice Music Prize
RT Choice Music Prize
In association with IMRO and IRMA
RT Choice Music Prize Irish Album of the Year 2...
05/03/2026
Thursday 5 March 2026
Sky News secures ninth News Channel of the Year award as ...
05/03/2026
Thursday 5 March 2026
Sky Sports launches first ever nationwide creator competi...
05/03/2026
SAN JOSE, Calif. - March 5, 2026 - At the 2026 NAB Show, Harmonic (NASDAQ: HLIT)...
05/03/2026
Comscore and Yahoo DSP Partner to Advance CTV Political Advertising with Proximi...
04/03/2026
For many fans, a song's backstory can be just as compelling as the final pro...
04/03/2026
In 2006, Spotify was founded on the belief that technology could bring artists a...
04/03/2026
Spotify is back on the ground for the Houston Livestock Show and Rodeo, and we&#...
04/03/2026
Spotify had an energizing week in Sydney, Australia, filled with powerful conver...
04/03/2026
Earlier this year, we launched Directed By, a documentary-style series that pull...
04/03/2026
KT and Rohde & Schwarz to showcase AI-enhanced radio transmission performance In a joint 6G AI proof-of-concept demonstration, the CMX500 one-box tester from ...
04/03/2026
Luxembourg, 3 March 2026 - SES S.A. has today published its 2025 Annual Report, following the announcement of the company's full year financial results for ...
04/03/2026
Luxembourg, March 3, 2026 - SES, a leading space solutions company, along with I...
04/03/2026
04 Mar 2026
VEON Partners with GSMA Innovation Fund to Accelerate Digital Innov...
04/03/2026
04 Mar 2026
VEON's Beeline Uzbekistan and Rakuten Symphony Partner for Open...
04/03/2026
Wednesday 4 March 2026
Sky Sports unveils plans for 2026 Formula 1 coverage
Sky Sports is preparing for one of the most highly anticipated F1 seasons in recen...
03/03/2026
For many, finding time or headspace to pick up a book can feel out of reach, but...
03/03/2026
Rohde & Schwarz and Realtek demonstrate first test solution for Bluetooth LE Hi...
03/03/2026
eds3_5_jq(document).ready(function($) { $(#eds_sliderM519).chameleonSlider_2_1({ content_source:......
03/03/2026
Luxembourg, 2 March 2026 -- SES S.A. fully consolidates Intelsat from 17 July 2025 and announces financial results for the year ended 31 December 2025
FY25 Pe...
03/03/2026
RT is proud to support a rich and diverse programme of arts and cultural events taking place across Ireland throughout March 2026. This month brings a remarkab...
03/03/2026
03 Mar 2026
VEON and MeetKai Expand Collaboration to Explore Sovereign AI Infra...
03/03/2026
Tuesday 3 March 2026
Sky releases official trailer for The Miniature Wife, a Sk...
03/03/2026
Tuesday 3 March 2026
Ryan Reynolds and Rob Mac land first ever live commentary ...
03/03/2026
Tuesday 3 March 2026
The Dyers' Caravan Park reopens for a second season after a hit launch on Sky
The Dyers' Caravan Park
JPEG (510KB)
Sky books a ...
03/03/2026
Harmonic's cOS Virtualized Broadband Platform Simplifies Network Operations, Lowers Hardware Dependency and Enables Seamless DOCSIS and Fiber Growth SAN JO...
03/03/2026
Comscore to Announce Fourth Quarter and Full Year 2025 Financial ResultsRESTON, VA, March 3, 2026 Comscore, Inc. (Nasdaq: SCOR), a trusted partner for plannin...
03/03/2026
Self-taught on iMovie, Hanagami transitioned to Final Cut Pro in 2009, discovering that professional tools could give him full creative control over how his wor...
03/03/2026
RT Media Sales has announced Spry Finance has renewed it's sponsorship of M...
02/03/2026
Rohde & Schwarz demonstrates FR1-FR3 carrier aggregation, advancing 6G readiness Rohde & Schwarz and Qualcomm Technologies, Inc. have reached another pivotal ...
02/03/2026
aconnic AG (ISIN: DE000A0LBKW6), Munich, and Arqit Quantum Inc. (Nasdaq: ARQQ, A...
02/03/2026
Luxembourg, February 26, 2026 - SES and Africa Mobile Network (AMN) have expande...
02/03/2026
Monday 2 March 2026
Saturday Night Live UK announces writing team
L-R: Jonno Johnson; Charlie Skelton; Celya AB; Omar Badawy; Gr inne Maguire; Laura Claxton; ...
Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
