Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.
Want to learn more? We've broken it down into six frequently asked questions.
1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.
2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.
In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.
3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.
4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.
One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.
5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.
6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.
So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
Europe Stories
05/01/2027
Worlds first 802.15.4ab-UWB chip verified by Calterah and Rohde & Schwarz to be ...
04/08/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
04/07/2026
April 7 2026, 19:00 (PDT) Detective Conan: Fallen Angel of the Highway Opens in...
01/06/2026
January 6 2026, 05:30 (PST) Dolby Sets the New Standard for Premium Entertainment at CES 2026
Throughout the week, Dolby brings to life the latest innovatio...
05/05/2026
Experts from the world of academia, tech, business, politics and media convened for a Thomson Talks at the Cambridge Disinformation Summit in April. It's th...
05/05/2026
Another year, and more proof that Asia continues to shape some of the world's most exciting new sounds. This year's RADAR artists draw from deep local r...
05/05/2026
The Austin City Limits Music Fest 2026 lineup just dropped, and this year, Spoti...
05/05/2026
New drum machine book campaign incoming
Bjooks have announced that during Superbooth 2026, they will be launching a Kickstarter campaign to fund the product...
05/05/2026
Flagship all-in-one production bundle updated
The latest version of Native Instruments' flagship virtual instrument and plug-in bundle has just been ann...
05/05/2026
Rohde & Schwarz to host RF Testing Innovations Forum 2026, helping design engine...
05/05/2026
The company grew by 7.6% in net revenue and 16.3% in EBITDA, achieving a 33% inc...
05/05/2026
FOX Sports, FOX One and Indeed Launch Nationwide Search for FOX One Chief World...
04/05/2026
just:play pro 2026 and just:live pro 2026 are available to download!
More Details:At NAB 2026, ToolsOnAir showcased just:play pro 2026 and just:live pro 2026, ...
04/05/2026
just:in mac pro 2026 - The Next Level of Professional Recording on macOS
More Details:The headline innovation in just:in mac pro 2026 is the new Auto format si...
04/05/2026
Last week, guests gathered in New York City for On Air, In Style: An Evening with Spotify-a night of conversation, culture, and connection celebrating the inter...
04/05/2026
New music & post-production features added
Avid's latest DAW update delivers an array of helpful features aimed at both music and post-production users,...
03/05/2026
Polysynth now features Mutable Instruments' macro oscillators
Melbourne Instruments have just released a free firmware update that brings the engine beh...
02/05/2026
Versatile re-amping tool announced
Warm Audio are best known for their recreations of sought-after vintage studio gear, but their latest release brings a ne...
02/05/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
01/05/2026
Florals for spring? Groundbreaking. But a playlist that tells you which The Devi...
01/05/2026
One of the world's biggest popstars is headed to El Cl sico. Later this mont...
01/05/2026
Limited-edition model celebrates 15th anniversary
Heritage Audio's range of monitor controllers has just gained a new member, the Baby RAM Black Edition...
01/05/2026
Dumble recreation now available as UAD plug-in
Along with their renowned processing plug-ins, Universal Audio have been steadily introducing emulations of c...
01/05/2026
The first Quantum console purchase made by the company was a Quantum 338 in September 2020. Since then, the company has leveraged Quantum power to steadily expa...
01/05/2026
Friday 1 May 2026
Hannah Waddingham and Ncuti Gatwa to host the series final tw...
01/05/2026
Friday 1 May 2026
Got plans? Cancel them. Sky Sports Big Weekend is coming
Sky Sports is preparing for a bumper weekend of live action, including Manchester ...
01/05/2026
Friday 1 May 2026
Sky Sports to broadcast all matches from World Sevens Football London edition
Sky Sports will be the exclusive UK broadcaster of the women&#...
01/05/2026
RT Sport awarded first pick free-to-air on Wednesday nights
Champions League and Super Cup finals
Highlights on Wednesday nights
RT today (Thursday 30 Apri...
01/05/2026
January 5 2026, 18:30 (PST) NBCUniversal's Peacock to Be First Streamer to ...
30/04/2026
Music is evolving, and so are the ways you discover and connect with artists. In...
30/04/2026
Between April 22-29, the first inaugural Stockholm Music Week brought together thought leaders and partners across industries including music, tech, government,...
30/04/2026
Iconic large-format console upgraded
API's iconic Vision console has just been treated to an overhaul that aims to meet the demands of today's profe...
30/04/2026
Comes complete with miking accessories
The LCT 440 Pure has proven to be a popular member of Lewitt's mic line-up, offering impressive technical perform...
30/04/2026
24 October 2026 at The Octagon, Sheffield
Now in its eighth year, SynthFest UK is the largest event of its kind in the UK, bringing together the top keyboar...
30/04/2026
Rohde & Schwarz equips new Terminal 3 at Frankfurt Airport with security scanner...
30/04/2026
Rohde & Schwarz expands broadband amplifier portfolio with new power classes up ...
30/04/2026
Jennifer Ehle (Contagion, Zero Dark Thirty) and Alex Hassell (Rivals, Wasteman, ...
30/04/2026
Behind the Broadcast: The Sound of Elite Golf Golf is gaining popularity; the 2025 Ryder Cup achieved record-breaking viewing figures in the UK specifically, wi...
30/04/2026
Com a evolu o de novos standards de broadcast em todo o mundo e o OTT streaming buscando a posi o de lideran a no consumo de m dia, tanto os codecs de v deo q...
30/04/2026
Com a evolu o de novos standards de broadcast em todo o mundo e o OTT streaming buscando a posi o de lideran a no consumo de m dia, tanto os codecs de v deo q...
30/04/2026
All-New AI-Powered Network Intelligence Solution, Resilient Remote OLTs and Back-Office Integration Platform Power Smarter, More Efficient Fiber Networks SAN JO...
30/04/2026
Two worlds, one show The tour unfolds in two distinct halves. The first is a sol...
30/04/2026
Rian na Fola airs on RT One and RT Player on Monday May 4
Rian na Fola is a o...
29/04/2026
Combines EQ and harmonic distortion
Techivation's latest release is a simple EQ designed to offer quick control over a source's overall tonal balanc...
29/04/2026
Two new MPE controllers announced
Expressive E caused quite a stir when they released the Osmose, making the sort of expression that was once reserved for p...
29/04/2026
New modules & enhanced machine-learning
The latest version of iZotope's flagship restoration suite is now available, and now offers over 50 tools design...
29/04/2026
Voting opens at 4pm today
RT 's Today show have announced the eight finalists for their TV Home Cook competition. Amateur cooks from Cork, Dublin, Galway ...
29/04/2026
29 Apr 2026
VEON and Kyivstar Fulfill Commitment to Invest USD 1 Billion in Ukr...
29/04/2026
Rhod Gilbert, Harriet Kemsley, Kae Kurd, Sara Pascoe and Vicki Pattison to take part in brand new series on free streaming service U
Free streaming service U i...
29/04/2026
Wednesday 29 April 2026
Katie Price: Nothing to Hide, a Sky Original documentar...
Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
