Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.
Want to learn more? We've broken it down into six frequently asked questions.
1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.
2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.
In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.
3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.
4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.
One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.
5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.
6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.
So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
Europe Stories
11/12/2025
Dalet, a leading provider of cloud-native, end-to-end media workflow solutions, ...
04/12/2025
The ninth series of Dancing with the Stars returns to screens in early
2026 and will be proudly sponsored by Hyundai
Filling our Sunday evenings with glitz an...
03/12/2025
ToolsOnAir Composition Builder 2025 Boilerplate
More Details: The Composition Builder 2025 application for macOS enables TV stations and Live Event broadcast...
03/12/2025
ToolsOnAr just:live pro 2025 Boilerplate
More Details: just:live pro 2025 is a Single Channel Live Production Playout solution for video and static or real-t...
03/12/2025
ToolsOnAr just:play pro 2025 Boilerplate
More Details: just:play pro 2025 is a Single Channel automated 24/7 Master Control playout solution with SD, HD and ...
03/12/2025
ToolsOnAr live:cut 2025 Boilerplate
More Details: live:cut is an option to just:in mac pro 2025 and enables multicamera production workflows for up to 16 cam...
03/12/2025
ToolsOnAir Just In Mac Lite NDI 2025 Boilerplate
More Details: The Just In Mac Lite NDI application is a streamlined media capture solution designed specific...
03/12/2025
ToolsOnAir Just In Mac Lite 2025 Boilerplate
More Details: The Just In Mac Lite application is a streamlined media capture solution designed specifically for...
03/12/2025
ToolsOnAir just:in mac pro 2025 Boilerplate
More Details: just:in mac pro is a macOS-based client-server multichannel capture solution to record SDI, HDMI, N...
03/12/2025
Tracy Bonareri Onchoke, Thomson's Young Journalist of the year 2025 is hoping the accolade will be a springboard to more cross-border collaboration between ...
03/12/2025
For the fourth time, Bad Bunny is the most-streamed Wrapped artist on Spotify gl...
03/12/2025
The wait is over. It's time to look back at the audio that defined your year with 2025 Spotify Wrapped, our annual celebration for fans, artists, creators, ...
03/12/2025
Por cuarta vez, Bad Bunny es el Top Artista Global de Wrapped en Spotify, con 19...
03/12/2025
Spotify Wrapped is back, and as always, it's powered by the billions of streams that fans around the world delivered throughout the year. From the artists w...
03/12/2025
Spotify Wrapped is the moment when hundreds of millions of fans around the world...
03/12/2025
With more than 700 million listeners around the world turning to Spotify to soundtrack their lives, it's time to look back at the audio that defined the yea...
03/12/2025
Con m s de 700 millones de oyentes en todo el mundo usando Spotify para acompa ar su d a a d a, es momento de mirar hacia atr s y ver el audio que marc el a o....
03/12/2025
From page-turning thrillers to inspiring memoirs, audiobooks are becoming a core...
03/12/2025
Com mais de 700 milh es de ouvintes em todo o mundo recorrendo ao Spotify para embalar seu dia a dia, chega o momento de revisitar o udio que marcou o ano. Nos...
03/12/2025
Spotify Wrapped celebrates the audio that defined our year, and the annual globa...
03/12/2025
Wuppertal December 3, 2025
Riedel and Haivision Join Forces to Advance Wireless Video TransmissionRiedel Communications today announced a new partnership with...
03/12/2025
Tell us a little bit about your job I am a Digital Marketing Executive working on Paid Social, PPC, and Organic Social. I joined the team in May 2025 and am enj...
03/12/2025
SAN JOSE, Calif. and VIENNA - Dec. 3, 2025 - Harmonic (NASDAQ: HLIT) and Normann...
03/12/2025
S an Nollaig
Celebrate 2025's top Irish sporting stars with RT Sport Awards live from RT Studios on RT One and RT Player
RT pays tribute to Ror...
02/12/2025
eds3_5_jq(document).ready(function($) { $(#eds_sliderM519).chameleonSlider_2_1({...
02/12/2025
--
The International Electrotechnical Commission (IEC), the International Organization for Standardization (ISO), and the International Telecommunication Unio...
02/12/2025
Harmonic's cOS Platform Will Redefine Subscribers' Quality of Experience, Lowering Churn SAN JOSE, Calif. - Dec. 2, 2025 - Harmonic (NASDAQ: HLIT) today...
02/12/2025
S an Nollaig
Hollywood blockbusters The Banshees of Inisherin, Barbie and Oppenheimer make their Irish TV debut
Tune into the classics such as Love Actual...
02/12/2025
Showcasing fresh Irish storytelling and emerging talent Storyland 2025 signals a fantastic time for Irish drama
RT and F s ireann/Screen Ireland are proud to...
01/12/2025
MANCHESTER, UK - November 2025 - Announced two days before the 30th anniversary of Oasis' debut album, Definitely Maybe, the Oasis Live '25 tour marks t...
01/12/2025
01 Dec 2025
Kyivstar and Ukrainian Ministry of Digital Transformation Select Go...
01/12/2025
The prequel to the global hit Sky Original mob crime saga, Gomorrah' is a s...
01/12/2025
Featuring Florence Welch, Red Hot Chilli Peppers' Flea, designer Bella Freud...
01/12/2025
Fox Corporation Chief Financial Officer Steve Tomsic to Participate in Upcoming ...
01/12/2025
Arvato Systems' Virtual Private Cloud (VPC) Receives BSI C5 Certification (T...
01/12/2025
Summary This short video gives you an summary of the changes in under two minutes.
--...
01/12/2025
As the festive season approaches, RT Supporting the Arts is proud to showcase a...
01/12/2025
Festive specials of Christmas in Kilmainham presented by Marty Whelan, High Road Low Road, Callan Kicks the Year and Keys to My Life
Ring in the New Year with ...
01/12/2025
Architect and television presenter Hugh Wallace, best known to RT audiences as a long-serving judge on Home of the Year, has died at the age of 68.
In a state...
28/11/2025
It's easy to ignore those little red update available badges. But when it ...
28/11/2025
Friday 28 November 2025
Sky Sports x Slawn drop limited-edition football jersey...
28/11/2025
Rohde & Schwarz shows resilience in a challenging environment, revenue exceeds t...
28/11/2025
Unwrapped: The Toy Show Appeal - airing this Sunday on RT One and RT Player- s...
27/11/2025
27 Nov 2025
GSMA brings M360 Eurasia 2026 to Samarkand in partnership with VEON...
27/11/2025
Tahar Rahim and Izuka Hoyle star in the gripping six-part Sky Original from Acad...
27/11/2025
Thursday 27 November 2025
Sky Arts Reveals the Nation's Greatest Basslines - and Queen Reign Supreme
The UK's most iconic basslines have been revealed...
27/11/2025
Rating reflects rating progress across areas including policies, diversity & inclusion, health & safety and Net Zero leadership
Winchester, UK, 27 November 202...
27/11/2025
What are the industry standards for Retail Media? Kathryn explains that certification is based on the IAB Europe Retail Media Measurement Standards and the IAB ...
27/11/2025
World champion boxer and Irish sporting icon Katie Taylor will be in studio this...
Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
