Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.
Want to learn more? We've broken it down into six frequently asked questions.
1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.
2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.
In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.
3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.
4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.
One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.
5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.
6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.
So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
Europe Stories
05/01/2027
Worlds first 802.15.4ab-UWB chip verified by Calterah and Rohde & Schwarz to be ...
01/06/2026
January 6 2026, 05:30 (PST) Dolby Sets the New Standard for Premium Entertainment at CES 2026
Throughout the week, Dolby brings to life the latest innovatio...
02/05/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
01/05/2026
January 5 2026, 18:30 (PST) NBCUniversal's Peacock to Be First Streamer to ...
01/04/2026
T Bluey ag teacht go RT ! Beginning on Monday 6 April 2026, Bluey will be available as Gaeilge on RT KIDSjr and RT Player. Children will be able to connect w...
01/04/2026
January 4 2026, 18:00 (PST) DOLBY AND DOUYIN EMPOWER THE NEXT GENERATON OF CREATORS WITH DOLBY VISION
Douyin Users Can Now Create And Share Videos With Stun...
31/03/2026
Spotify has evolved from a streaming platform to an interactive, multiformat eco...
31/03/2026
Lastest New Universal Synthesizer System module announced
Make Noise Music have recently announced the launch of the latest addition to their New Universal ...
31/03/2026
True Stereo DynIR Engine, Virtual Load Shaper & more
Two notes Audio Engineering's Captor X reactive load box and cabinet simulator has built up a solid...
31/03/2026
31 Mar 2026
VEON Announces 2026 AGM and Board Nominees Notice of the 2026 Annual General Meeting of Shareholders of VEON Ltd.
Dubai and New York, March 31, 20...
31/03/2026
Jack Whitehall will be joined by musical guest Jorja Smith - (Show 4 - 11 April)Tuesday 31 March 2026
Jack Whitehall announced as next host of Saturday Night L...
31/03/2026
Tuesday 31 March 2026
Sky Sports announces major women's boxing deal with Most Valuable Promotions
Sky Sports and NOW will become the home of Most Valuabl...
31/03/2026
Stand #N1311 (North Hall)
April 19-22, 2026
Discover why colourists and DITs rely on Baselight and Daylight v7. Explore the latest updates about Nara, our pla...
31/03/2026
31. March 2026 News
DFT is pleased to announce that three Polar HQ scanners...
31/03/2026
United Utilities has reached a significant milestone in its smart metering programme after installing more than 200,000 in the last twelve months.
Over the nex...
30/03/2026
MPE-capable chamber strings library announced
Alongside their collection of Kontakt instruments, Sonora Cinematic have been steadily introducing a series of...
30/03/2026
Latin-inspired percussion instrument announced
Built on a newly developed engine and interface, UJAM's latest instrument has been designed to create Lat...
30/03/2026
Latest Eduardo Tarilonte collaboration announced
The latest library to join Best Service's ever-growing range includes four solo wind instruments that c...
30/03/2026
We want to hear from you!
Complete our SOS Quick Survey and enter the prize draw for a chance to win one of three $50 Amazon vouchers!
Sound On Sound carri...
30/03/2026
30 Mar 2026
JazzCash Onboards Its 1 Millionth Merchant on Pakistan's Nation...
30/03/2026
Sky welcomes Karen Blackett CBE to its DAC and thanks Baroness Prashar and Ndidi Okezie as they step down after five yearsMonday 30 March 2026
Sky announces ch...
30/03/2026
Leading Taiwan Broadband Operator Drives Fiber Deeper with Harmonic SAN JOSE, Calif. - March 30, 2026 - Harmonic (NASDAQ: HLIT) today announced that KBRO, a lea...
28/03/2026
Now features DiGiCo console integration
Harrison's live recording and virtual soundcheck software has just reached its third major version, which among ...
28/03/2026
MPE-capable chamber strings library announced
Alongside their collection of Kontakt instruments, Sonora Cinematic have been steadily introducing a series of...
27/03/2026
New Classic, Amplitude & FlexRange units introduced
GIK Acoustics have just introduced a trio of new bass trap designs that bring improved low-end absorptio...
27/03/2026
Offers personalised Dolby Atmos headphone monitoring
Sonarworks have put their calibration expertise to work on a new mobile app that allows users to create...
27/03/2026
27 Mar 2026
VEON Reinforces Alignment with Shareholder Value Creation Dubai and New York, March 27, 2026 - VEON Ltd. (Nasdaq: VEON; VEON or the Company ), a...
27/03/2026
RT Supporting the Arts
RT is Supporting 20 Arts and Cultural Events all over Ireland this April
RT is proud to support an exciting month of arts and cul...
27/03/2026
Average of 1.37 million viewers watched Irish World Cup heartbreak on RT 2
Over one million streams on RT Player
Highest number of streams for any single eve...
27/03/2026
March 27 2026, 01:30 (PDT) Dolby Unveils Dolby House Shanghai, its First Global Flagship Experience Center
A New Global Platform Showcasing Dolbys Innovatio...
27/03/2026
March 27 2026, 03:30 (PDT) Dolby and QQ Music Advance Streaming Music with Enhancements to Dolby AC-4
Delivering greater fidelity, clarity and detail to Dol...
26/03/2026
Spotify's partnership with NAVER, Korea's leading digital platform, is built around one simple goal: making it easier for listeners in Korea to discover...
26/03/2026
Exclusive to ComposerCloud for first month
Sample library and virtual instrument gurus EastWest have announced the upcoming release of a new virtual drum i...
26/03/2026
Friday 27 March
Friday 27 March will mark Dynamic Range Day 2026, the annual day of online activity that was started in 2010 by mastering engineer Ian Sheph...
26/03/2026
Includes four separate instruments
Max Richter's SRM Sounds venture have just announced their fifth release, ASMR Choir. Captured at the main live room ...
26/03/2026
Thursday 26 March 2026
HBO Max included for Sky and NOW customers from 26 March...
26/03/2026
Thursday 26 March 2026
Sky Sets Iconic Costumes Dancing Together Like Never Before' in Brand CampaignTurn on cookies to view this content. Go to Privacy o...
26/03/2026
Wuppertal March 26, 2026
CS live Builds Future-Ready OB Van With Riedel MediorNet and hi Control SystemRiedel Communications today announced that Czech-based ...
26/03/2026
Enhancements to Harmonic's Sports Streaming Solution Introduce Server-Side Multiview, Contextual Metadata-Driven Advertising, Dynamic In-Stream Ads and Robu...
26/03/2026
Open the report
Our 2025 report brings together results from 79 business magazine titles across 22 market sectors, published by 49 media owners. Over the year,...
26/03/2026
RT Commercial today announced Fiat as sponsor of The Louise Duffy Show on RT Radio 1, Weekdays 3pm 4pm.
The Louise Duffy Show is the home of daytime music...
26/03/2026
Wayne, N.J., March 26, 2026 Phantom High-Speed announces the latest product li...
25/03/2026
Directed By, Spotify's documentary-style series that pulls back the curtain ...
25/03/2026
BTS is so back. This week, the global pop superstars took the stage at New York City's Pier 17 for their first U.S. performance in four years.
Part of Spot...
25/03/2026
How you listen can shape what you hear. That's the idea behind the new Spotify Listening Lounge, an acoustic space at our London headquarters purpose-built ...
25/03/2026
Tape effects taken to the extreme
The latest release from New York-based developer Iconic Instruments is said to accurately recreate the saturation and comp...
25/03/2026
Launched alongside new Vocal Phrases bundle
Sonuscore's latest release has been designed specifically for composers working on fantasy TV, film and game...
25/03/2026
Latest update now live
The latest version of Steinberg's post-production-focused DAW has just arrived, and comes packed with new dialogue editing, sound...
25/03/2026
Rohde & Schwarz joins FormFactor's MeasureOne partner program FormFactor and Rohde & Schwarz advance their partnership for on-wafer RF component character...
25/03/2026
25 Mar 2026
VEON Highlights Uklon's Expansion into Travel, Strengthening it...
Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
