Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.
Want to learn more? We've broken it down into six frequently asked questions.
1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.
2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.
In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.
3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.
4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.
One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.
5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.
6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.
So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
Europe Stories
05/01/2027
Worlds first 802.15.4ab-UWB chip verified by Calterah and Rohde & Schwarz to be ...
01/06/2026
January 6 2026, 05:30 (PST) Dolby Sets the New Standard for Premium Entertainment at CES 2026
Throughout the week, Dolby brings to life the latest innovatio...
02/05/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
01/05/2026
January 5 2026, 18:30 (PST) NBCUniversal's Peacock to Be First Streamer to ...
01/04/2026
January 4 2026, 18:00 (PST) DOLBY AND DOUYIN EMPOWER THE NEXT GENERATON OF CREATORS WITH DOLBY VISION
Douyin Users Can Now Create And Share Videos With Stun...
20/03/2026
In 2021, we launched EQUAL, a program designed to address an industry reality that persists: Women artists, songwriters, and producers too often face fewer oppo...
20/03/2026
BTS' long-awaited fifth studio album, ARIRANG, is finally here. To celebrate...
20/03/2026
A new era for Kenia Os has arrived, and Spotify marked the moment by putting fan...
20/03/2026
Una nueva era para Kenia Os ha llegado, y Spotify marc el momento poniendo a lo...
20/03/2026
Combines sampling & physical modelling
Sound Magic have announced the launch of a comprehensive virtual drum instrument that's been designed to cater to...
20/03/2026
How much difference should mastering make?
In our latest Mix Rescue feature, SOS Editor in Chief Sam Inglis revisits a project from back in 2019, carrying o...
20/03/2026
In this blog, Laura Rognoni reflects on key discussions from the Connected TV World Summit in London, where NAGRAVISION hosted a panel on content discovery and ...
20/03/2026
Friday 20 March 2026
Sky Extends Saturday Night Live UK Run to Eight Shows
Ahead of Saturday Night Live UK's launch tomorrow (March 21), Sky has confirmed...
20/03/2026
It's time to play The Money List! Baz Ashmawy is back at the helm as the qui...
19/03/2026
In 2021, we launched EQUAL, a program designed to address an industry reality that persists: Women artists, songwriters, and producers too often face fewer oppo...
19/03/2026
Latest EZKeys 2 expansion arrives
Toontrack's staggering collection of EZKeys 2 expansions has grown once again, and the latest instalment delivers a on...
19/03/2026
New generative AI plug-in due in May 2026
Roland have announced the upcoming launch of a new generative AI tool created in collaboration with Sony Computer ...
19/03/2026
Nick Williams updates users on insolvency process
Nick Williams, the CEO of Native Instruments, has released the following official statement regarding thei...
19/03/2026
Iconic Swedish mic manufacturer back in action
Legendary Swedish microphone manufacturer Milab have announced that production is now fully underway, and mic...
19/03/2026
Acclaimed saturation unit goes virtual
Freqport's Freqtube FT1 (reviewed here in SOS February 2023) offers a convenient way to integrate real valve-base...
19/03/2026
The discontinuation of loss-making business activities as part of the restructur...
19/03/2026
Thursday 19 March 2026
Sky TV customers can enjoy a taste of Hayu's most po...
19/03/2026
Other Voices presents a legendary night of music as Foo Fighters bring their stadium anthems to St James' Church, An Daingean. The surprise performance teas...
19/03/2026
***Issued by RT on behalf of RTS Ireland Awards / Gradaim RTS 2026...
18/03/2026
Yamaha C7 captured in Nashville
Wiltone Productions have announced the release of Music Row Piano, a deeply sampled Yamaha C7 piano library that's been ...
18/03/2026
Bass-enhancement plug-in upgraded
Along with a steady stream of new releases, Techivation have recently been revisiting some of the older plug-ins in their ...
18/03/2026
Mix-reference plug-in overhauled
iZotope's powerful mix-referencing plug-in has just reached its third major version, and now boasts a new capture proce...
18/03/2026
Latest EZKeys 2 expansion arrives
Toontrack's staggering collection of EZKeys 2 expansions has grown once again, and the latest instalment delivers a on...
18/03/2026
Future-ready broadcasts with ATSC 3.0 and enhanced services from Rohde & Schwarz...
18/03/2026
London Calling - When The Industry Convened to Help Streaming Find its MoJo In this blog, Laura Rognoni reflects on key discussions from the Connected TV World...
18/03/2026
THIS ANNOUNCEMENT RELATES TO THE DISCLOSURE OF INFORMATION THAT QUALIFIED OR MAY HAVE QUALIFIED AS INSIDE INFORMATION WITHIN THE MEANING OF ARTICLE 7(1) OF THE ...
18/03/2026
X-Rite Pantone Demonstrates Advanced Color Management Solutions to Support Smart...
18/03/2026
Wednesday 18 March 2026
BAFTA winner James McAvoy to star in Sky Original serie...
18/03/2026
Wednesday 18 March 2026
Sky Sports and Zuffa Boxing announce multi-year agreement for the UK and Ireland
Sky Sports and Zuffa Boxing have announced a new mult...
18/03/2026
Wednesday 18 March 2026
Sky Unveils Poster and Trailer for Original Feature Fil...
18/03/2026
Wednesday 18 March 2026
UP NEXT: Sky presents a bold slate of new, premium acquired content
Sky reveals slate of newly acquired premium drama and comedy, as i...
18/03/2026
Wednesday 18 March 2026
UP NEXT: Sky unveils an unmissable genre-spanning slate...
18/03/2026
New Playout-to-Delivery Capabilities Elevate ATSC 3.0 Experiences, Lower DTV In...
17/03/2026
Fresh Finds Africa spotlights emerging artists and movements across the continent and its global diaspora, with listeners tuning in to discover new Afro-forward...
17/03/2026
Last month, more than 60,000 fans piled into Bangkok's Rajamangala National ...
17/03/2026
Vintage-inspired channel strip joins line-up
Black Rooster Audio's latest plug-in provides an all-in-one mixing tool inspired by classic analogue consol...
17/03/2026
Level and EQ voice, reverb and noise independently
The latest plug-in to join Accentize's collection is said to take a new approach to dialogue processi...
17/03/2026
UHF radio mic & IEM bandwidth at risk
Once again, the UHF bandwidth that is currently allocated to RF audio gear is at risk of being reassigned to high-spee...
17/03/2026
Last Friday, the first Plant Fire Department Training Week in Bavaria successf...
17/03/2026
THIS ANNOUNCEMENT RELATES TO THE DISCLOSURE OF INFORMATION THAT QUALIFIED OR MAY HAVE QUALIFIED AS INSIDE INFORMATION WITHIN THE MEANING OF ARTICLE 7(1) OF THE ...
17/03/2026
Comscore Reports Fourth Quarter and Full Year 2025 Results RESTON, Va., March 17, 2026 - Comscore, Inc. (Nasdaq: SCOR), a trusted partner for planning, transact...
17/03/2026
17 Mar 2026
VEON Strengthens Leadership Team to Accelerate Digital Ambition Senior executive appointments are to enhance country operations and VEON Group'...
17/03/2026
UKTV today announces the appointment of Sam Tewungwa as Chief Executive Officer, who will lead the company's next phase of growth.
Tewungwa, currently Mana...
17/03/2026
Tuesday 17 March 2026
Disney included in the Sky TV subscription from today, b...
17/03/2026
The five-part thriller, formerly known as Inheritance, also stars Jonny Lee Mill...
Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
