Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.
Want to learn more? We've broken it down into six frequently asked questions.
1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.
2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.
In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.
3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.
4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.
One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.
5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.
6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.
So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
Europe Stories
09/11/2025
Dalet today announced a transformative leap forward for media operations: Agentic Artificial Intelligence (AI) that unifies the Dalet ecosystem under one natura...
06/10/2025
France T l visions, France's leading broadcaster, has received the 2025 EBU ...
18/09/2025
Forget just hearing a new album; last night, London lived one. Together with Spo...
18/09/2025
Spotify and Sony Music Group today announced an extension and expansion of their long-standing, successful global partnership. As part of their ongoing collabor...
18/09/2025
18 Sep 2025
VEON Inaugurates JazzCash Experience Lounge in Islamabad Dubai and Islamabad, September 18, 2025 - VEON Ltd. (Nasdaq: VEON), a global digital opera...
18/09/2025
Created by Tom Scharpling, Matt Berry and Natasha Lyonne, the new six-part serie...
18/09/2025
The eight-part sun-drenched thriller from Luther creator Neil Cross launches on ...
18/09/2025
Rohde & Schwarz announces new frequency models up to 54 GHz for R&S ZNB3000 vect...
18/09/2025
Individual phones could be tracked back to specific residential addresses
Sm...
18/09/2025
September 18 2025, 04:20 (PDT) Dolby Atmos arrives in Maruti Suzuki Victoris, e...
17/09/2025
It was the ultimate convergence of pop culture and literary prestige: Last night, Dua Lipa brought her Service95 Book Club podcast to the stage for a special li...
17/09/2025
Transatlantic collaboration combines experience and agility to drive innovation in network design and delivery
Luxembourg, September 16, 2025 - SES, a leading ...
17/09/2025
Wednesday 17 September 2025
UK artists capture icons of stage and screen, inclu...
17/09/2025
For the Moon Safari anniversary tour, AIR opened the doors to their backstage. Just a few hours before the Paris concert, DPA met with two key figures of the te...
17/09/2025
Auditions will be held in Dublin, Cork and Galway
The County Parade returns f...
16/09/2025
Hace una d cada, la m sica latina representaba apenas el 8% de las reproducciones globales en Spotify. Hoy, constituye m s de una cuarta parte (27%) de toda la ...
16/09/2025
A decade ago, Latin music made up just 8% of global Spotify streams. Today, it a...
16/09/2025
Spotify is expanding our video lineup with a new partnership with Zoo 55, part of ITV Studios. For the first time, acclaimed content from ITV Studios is landing...
16/09/2025
Calrec has strengthened its collaboration with audio metering expert RTW by integrating RTW's new TMxCore metering platform across its full range of Argo IP...
16/09/2025
Leading space solutions company will use optical ground stations to deliver faster, more secure data from space
Luxembourg, September 15, 2025 - SES, a leading...
16/09/2025
Comscore Unveils The Scoreboard: An Interactive Destination Surfacing Consumer B...
15/09/2025
Global K-Pop sensation aespa is redefining what it means to be rich with the r...
15/09/2025
Every day, millions of people around the world turn to Spotify to enjoy the audi...
15/09/2025
After months of intensive planning and implementation, Brembo SGL Carbon Ceramic...
15/09/2025
Unique sports content orchestration platform builds momentum among SES's cus...
15/09/2025
-- Opens door to growth in renewable energy New Delhi, India - 15th September -- Global business and industry leaders from around the world are joining technol...
13/09/2025
Harmonic's Software-Based XOS Advanced Media Processor Provides Unparalleled Efficiency and Unlocks New Business Models SAN JOSE, Calif. - Sept. 13, 2025 -...
12/09/2025
For fans, we know how important it is to stay plugged into music culture and dis...
12/09/2025
Link ping, Sweden and Shipley, United Kingdom, September 12, 2025 - Agama, the expert in video observability and analytics for service quality and customer expe...
12/09/2025
Feature-length retrospective from Studio Crook to air in 2026
Sir David Jason returns to the nation's favourite comedy channel, U&GOLD, for Open All Hours:...
12/09/2025
Friday 12 September 2025
The Boomtown Rats, Nyah Grace, Soweto Kinch, Royal Ballet and Madness also announced to perform at the ceremony on Tuesday
Sky today ...
12/09/2025
Wuppertal September 12, 2025
Riedel Unveils Ultra-Light Bolero Mini Wireless Intercom BeltpackAt IBC2025 in Amsterdam, Riedel Communications unveiled Bolero M...
12/09/2025
Wuppertal September 12, 2025
Riedel Communications Acquires hi human interfaceRiedel Communications today announced the acquisition of hi human interface fro...
12/09/2025
CORE+ virtually removes distortion, setting a new standard for church sound and giving worship teams the clarity and confidence they need.
Read the full artic...
12/09/2025
The Late Late Show is back with a bang after the summer break, and Patrick Kielt...
12/09/2025
The World Athletics Championships, Ireland v France in the Women's Rugby World Cup quarter-final, the Irish Champions Festival, and two Sports Direct Men�...
12/09/2025
The Records Show starts Sunday at 6.30pm on RT One and RT Player.
Katie Hanno...
11/09/2025
RADAR, Spotify's program for emerging talent, recently hit a major milestone...
11/09/2025
Link ping, Sweden, September 11, 2025 - Agama, the expert in video observability & analytics for service quality and customer experience, announced today the la...
11/09/2025
Under the USD 89.6 Million award, SES Space & Defense will provide global commer...
11/09/2025
Leading Balkan DTH provider adds capacity to consolidate its m:Sat TV platform at 23.5 degrees East and serve more customers across the region
Luxembourg, 11 S...
11/09/2025
UKTV's free streaming service U launches on Sky Q
Free streaming service U has launched on Sky Q in the UK, UKTV and Sky confirm today, expanding the footp...
11/09/2025
From the discreet 2061 lavaliers to 4099 and 4011 mics, the setup delivered clean, natural sound in one of the most challenging broadcast environments.
Read th...
11/09/2025
From rugged build quality to natural, detailed sound, the verdict is clear: big performance can come in a very small package.
Read the full review here!...
11/09/2025
Tonight on Prime Time
RT One and RT Player at 9:35pm
Tonight RT Prime Time...
11/09/2025
RT Statement: 2026 Eurovision Song Contest
At the General Assembly of the European Broadcasting Union (EBU) in July, a number of EBU members raised concerns ...
10/09/2025
Lossless on Spotify Premium is here.
Lossless audio has been one of the most a...
10/09/2025
The Television Will Be Revolutionised Sep 10, 2025
Written by Sunit Kotecha, Director of Delivery and Operations, YouView
2025 marks a century since the f...
10/09/2025
First of Spains F110 frigates get future-ready with Rohde & Schwarz communicatio...
Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
