Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.
Want to learn more? We've broken it down into six frequently asked questions.
1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.
2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.
In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.
3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.
4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.
One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.
5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.
6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.
So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
Europe Stories
05/01/2027
Worlds first 802.15.4ab-UWB chip verified by Calterah and Rohde & Schwarz to be ...
04/08/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
04/07/2026
April 7 2026, 19:00 (PDT) Detective Conan: Fallen Angel of the Highway Opens in...
01/06/2026
January 6 2026, 05:30 (PST) Dolby Sets the New Standard for Premium Entertainment at CES 2026
Throughout the week, Dolby brings to life the latest innovatio...
02/05/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
01/05/2026
January 5 2026, 18:30 (PST) NBCUniversal's Peacock to Be First Streamer to ...
14/04/2026
ToolsOnAir and Omnistream Bring Mobile SRT Contribution into Professional 24/7 P...
14/04/2026
Captures a trio of renowned polysynths
The latest software to join AIR Music Tech's extensive catalogue captures the sound of three sought-after polysyn...
14/04/2026
Free offering includes 10 powerful plug-ins
United Plugins have announced the launch of a new bundle that brings together 10 of their pro-audio plug-ins, an...
14/04/2026
Julian Coryell joins virtual session player line-up
Announced at NAMM 2026, Celemony's Tonalic kits DAW users out with real performances by world-class ...
14/04/2026
X-Rite Pantone Color Academy Grand Opening in Shanghai
On March 27, 2026, X-Rite Pantone, the global authority in color standards and color science, held the...
14/04/2026
14 Apr 2026
VEON and JazzWorld Receive Competition Commission of Pakistan Appro...
14/04/2026
Tuesday 14 April 2026
Nicola Coughlan and Aimee Lou Wood to host next two episo...
14/04/2026
Lead writer and executive producer Jack Lothian joins alongside lead director Je...
14/04/2026
Wuppertal April 14, 2026
Thomas Riedel Acquires Premium Manufacturer ARRIStrategic Alignment With the Riedel Group for Innovation and Growth
Thomas Riedel, f...
14/04/2026
New Service Simplifies Integration of AI Applications with Exceptional Reliabili...
14/04/2026
Luxembourg, April 14, 2026 - SES, a leading space solutions company, today annou...
13/04/2026
ToolsOnAir Composition Builder 2026 Boilerplate
More Details: The Composition Builder 2026 application for macOS enables TV stations and Live Event broadcast...
13/04/2026
ToolsOnAr just:live pro 2026 Boilerplate
More Details: just:live pro 2026 is a Multi-Channel Live Production Playout solution for video and static or real-ti...
13/04/2026
ToolsOnAr just:play pro 2026 Boilerplate
More Details: just:play pro 2026 is a Multi-Channel automated 24/7 Master Control playout solution with SD, HD and U...
13/04/2026
ToolsOnAr live:cut 2026 Boilerplate
More Details: live:cut is an option to just:in mac pro 2025 and enables multicamera production workflows for up to 16 cam...
13/04/2026
ToolsOnAir Just In Mac Lite NDI 2026 Boilerplate
More Details: The Just In Mac Lite NDI application is a streamlined media capture solution designed specific...
13/04/2026
ToolsOnAir Just In Mac Lite 2026 Boilerplate
More Details: The Just In Mac Lite application is a streamlined media capture solution designed specifically for...
13/04/2026
ToolsOnAir just:in mac pro 2026 Boilerplate
More Details: just:in mac pro is a macOS-based client-server multichannel capture solution to record SDI, HDMI, N...
13/04/2026
Intuitive EQ plug-in gets an upgrade
Following its official launch back in February 2026, Musik Hack's intuitive EQ plug-in has been treated to its firs...
13/04/2026
Flagship soft synth collection expanded
The latest version of UVI's flagship vintage-inspired soft synth collection has just arrived, expanding the suit...
13/04/2026
Free version of innovative string library arrives
Released in October 2025, Lux Orchestral Strings was said to be Sonuscore's most ambitious library to ...
13/04/2026
The Girls' Research Camp is part of the Technology - Future in Bavaria edu...
13/04/2026
Rohde & Schwarz transforms submarine communications for real time underwater dom...
13/04/2026
Rohde & Schwarz enables Pulsar signal simulation to support next-generation navi...
13/04/2026
Monday 13 April 2026
Global environmental action NGO WRAP brings recycling to l...
13/04/2026
J nger Audio has joined the EBU ADM Implementers Group (ADM-IG) as a founding me...
13/04/2026
FOX Latin America Announces The Launch Of The FOX Channel In Central America And...
13/04/2026
No amps, no safety net The biggest challenge was the music itself. Everything in the film is acoustic and unamplified. The theme itself is kind of hard to expl...
13/04/2026
RT Radio 1 has today launched a significant step in its ongoing strategic evolution. Following the launch of its brand-new schedule late last year, RT Radio 1...
13/04/2026
The Late Late Show Opening Act, the search for Ireland's newest country musi...
13/04/2026
RT has today announced the appointment of Annemarie Britz to the position of Chief Financial Officer, RT following a public competition.
Annemarie Britz is c...
12/04/2026
Headphone system designed for immersive monitoring
With the demand for immersive audio showing no signs of slowing down, lots of companies are turning their...
11/04/2026
Engineer collective welcome Freddy Knop
Infrasonic, an award-winning collective of audio engineers operating out of Nashville and Los Angeles with credits r...
10/04/2026
After launching the Spotify Podcast Awards in Mexico last year, we brought the fan-voted celebration to Paris this week for its first edition in France. Hosted ...
10/04/2026
Powered and unpowered live PA ranges upgraded
Yamaha have just refreshed four of their hugely popular PA speaker ranges, delivering significant improvements...
10/04/2026
Underlying plug-in & VI technology now available to others
UJAM's latest announcement sees the company open up' Gorilla Engine, the development pla...
10/04/2026
Luxembourg, April 10, 2026 - SES, a leading space solutions company, announces that it has entrusted BNP Paribas with the implementation of a liquidity agreemen...
10/04/2026
What can I watch on UKTV and stream on U this week?
This week on UKTV and the free streaming service U, viewers can watch a range of new and returning programm...
10/04/2026
Five-part Sky Original drama airs nightly on Sky Mix and Sky Atlantic from 20 Ap...
09/04/2026
Staines-upon-Thames, UK, 09, April, 2026 - Yospace, the trusted leader in Dynam...
09/04/2026
just:play pro 2026 and just:live pro 2026 Sneak Preview News for NAB 2026
More Details:At NAB 2026, ToolsOnAir will showcase just:play pro 2026 and just:live p...
09/04/2026
just:in mac pro 2026 - The Next Level of Professional Recording on macOS at NAB ...
09/04/2026
Spotify has always been about putting listeners in the driver's seat. Today, people don't just want more ways to spend their time; they want that time t...
Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
