Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.
Want to learn more? We've broken it down into six frequently asked questions.
1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.
2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.
In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.
3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.
4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.
One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.
5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.
6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.
So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
Europe Stories
05/01/2027
Worlds first 802.15.4ab-UWB chip verified by Calterah and Rohde & Schwarz to be ...
04/08/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
04/07/2026
April 7 2026, 19:00 (PDT) Detective Conan: Fallen Angel of the Highway Opens in...
02/06/2026
Musically intelligent soft synth gets upgraded
Scaler Music will be probably be best known to many for their music theory tools, but their product range al...
02/06/2026
Powerful new vocal-production tool announced
Described as a vocal performance station , Klevgrand's latest plug-in combines pitch-correction with harmo...
02/06/2026
Launched alongside Go Green sale extension
McDSP have just released the latest addition to their APB line-up, DC-2 Dual Compressor, and have also announced ...
02/06/2026
Create custom tools for Ableton Live 12 Suite
Ableton have just introduced a new open JavaScript toolkit that allows anyone to create their own custom tools...
02/06/2026
Now features full H90 algorithm library
Eventide have announced the upcoming launch of the H9 Harmonizer Gen 2, a new and improved version of their hugely p...
02/06/2026
Plus UAD Half Yearly Sale now live
The latest arrival to the Universal Audio range delivers a new native pitch-correction plug-in that's capable of deli...
02/06/2026
Rohde & Schwarz to present comprehensive performance, conformance and spectrum-m...
02/06/2026
BTL Laboratory becomes Taiwan's first test house with a CTIA Certification c...
02/06/2026
If you've kept up with this article series, you know by now where to start w...
02/06/2026
With new DSP configurations and flexible licensing options, Calrec is removing the barriers to virtualised audio, giving broadcasters the freedom to scale produ...
02/06/2026
02 Jun 2026
VEON Closes USD 1.4 Billion Bond Offering, Refinancing 2027 Notes A...
02/06/2026
Praise for series three:
The Times - sun-dappled pleasure
The Daily Mail - The Homes Counties' Charlie's Angels
The Sun - 4* this [is an] enjoya...
02/06/2026
Wuppertal June 2, 2026
Gudrun Scharler Appointed CEO of Riedel Networks The Riedel Group today announced the appointment of Gudrun Scharler as CEO of Riedel N...
02/06/2026
Trust has become a commercial issue With global advertising spend forecast to exceed US$1 trillion this year*, the commercial consequences of weak governance co...
02/06/2026
June sees Ireland's cultural calendar in full bloom, as RT Supporting the Arts showcases a vibrant and wide-ranging programme spanning music, theatre, visu...
02/06/2026
After The Traitors Ireland launched in 2025, Irish audiences proved to have a taste for the global hit reality show. This Bank Holiday Monday fans can indulge e...
01/06/2026
Category line-up & sponsors announced
Photo: Paul Clarke
The Production Music Awards (PMA) have announced that submissions are now officially open ahead of...
01/06/2026
New hybrid sample/synthesis instrument revealed
Excite Audio have just released the latest instalment in their Evolve series, which has been developed in co...
01/06/2026
Latest TONEX expansion captures three rare vintage amps
The newest addition to IK Multimedia's ever-growing TONEX line-up introduces a set of three incr...
01/06/2026
Musically intelligent soft synth gets upgraded
Scaler Music will be probably be best known to many for their music theory tools, but their product range al...
01/06/2026
Rohde & Schwarz Satellite Industry Days 2026 guided by the motto From Earth to ...
01/06/2026
Luxembourg, June 1, 2026 - SES, a leading space solutions company, and Viva, Mexico's ultra low-cost airline, launched fast and reliable multi-orbit satelli...
01/06/2026
Mardi 2 juin 14h00
FilmLight (ARRI), 10 rue Ren Boulanger, 75010 Paris
Rejoignez-nous pour d couvrir comment FLAPI (l'API FilmLight) peut transformer e...
01/06/2026
January 6 2026, 05:30 (PST) Dolby Sets the New Standard for Premium Entertainment at CES 2026
Throughout the week, Dolby brings to life the latest innovatio...
29/05/2026
The days are getting longer, the temperatures are rising, and playlists are filling up for the season. With summer around the corner, Spotify's global edito...
29/05/2026
New retro-inspired MPC announced
There are few devices that have gained the status held by Akai Pro's MPC range, and in recent years, the company have s...
29/05/2026
Save up to 30 on acclaimed titles
Following a successful launch at Superbooth 2026, Bjooks have revealed that they will be continuing the Kickstarter campa...
29/05/2026
Binaural monitoring application improved
Genelec have just released an update that brings some powerful new features to their HRTF-based binaural headphone ...
29/05/2026
6 June 2026 at SAE Institute, London, UK
IMSTA FESTA 2026 is almost upon us, with some of the biggest names in pro-audio set to descend upon SAE Institute i...
29/05/2026
cetecom advanced certifies Rohde & Schwarz test solution for hybrid and Next Gen...
29/05/2026
May 29 2026, 09:00 (PDT) Dolby and rednote Bring More Immersive Storytelling to...
29/05/2026
Youtube exclusive special drops today
Watch now
UKTV today announces another e...
29/05/2026
Genelec announces V2.1 for Aural ID binaural headphone monitoring application posted: 29/05/2026
Aural ID 2.1 enhances binaural monitoring for stereo and ...
29/05/2026
At just 20 years old, Sean Melia from Summerhill Co. Meath has been revealed as the winner of Super Garden 2026. Sean is the youngest ever contestant and winner...
28/05/2026
Thomsons Climate Crisis Toolkit is already being put to work, helping journalist...
28/05/2026
A little refresh can go a long way. We've been making behind-the-scenes upda...
28/05/2026
Since early last year, our quarterly Creator Milestone Awards have celebrated podcasts from around the world that hit major streaming milestones on Spotify. Tod...
28/05/2026
New software-based MIDI multi-clock announced
Rapid Flow have just announced the launch of a new MIDI utility plug-in that aims to solve one of the most per...
28/05/2026
Company introduce most affordable interface yet
SSL's range of audio interfaces has just gained its latest, and smallest member, the SSL 1. Designed to ...
28/05/2026
New compact drum machine & sampler announced
The latest instrument from Sonicware sees the company kick off an all-new Deconstruct series with a compact dru...
28/05/2026
Hellenic Civil Aviation Authority modernizes nationwide ATC voice communications...
28/05/2026
Comscore Announces Appointment of Matt McLaughlin as Chief Executive OfficerJon Carpenter to remain as Senior Advisor to the Board and CEO
Global business lead...
28/05/2026
Wuppertal May 28, 2026
Berliner Ensemble Upgrades Backstage Infrastructure With Riedel Stage SystemsRiedel Communications today announced that Berliner Ensemb...
28/05/2026
Harmonic's Software-Based XOS Advanced Media Processor Powers Cost-Efficient 24/7 Channel Origination and Direct-to-Consumer Delivery
SAN JOSE, Calif. - M...
28/05/2026
RT presents Wild Conamara, a two-part natural history documentary that brings a...
27/05/2026
Spotify already brings together listeners' favorite music, podcasts, and audiobooks in one place. Now, we're trialing a new format that expands the cont...
Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
