Sony Digital Rapids Pixel Power calrec Sony

6 Frequently Asked Questions About Spotify's Bug Bounty Program

13/09/2019

Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.

At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.

Want to learn more? We've broken it down into six frequently asked questions.

1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.

2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.

In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.

3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.

4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.

One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.

5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.

6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.

So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
LINK: https://newsroom.spotify.com/2019-09-13/6-frequently-asked-questions-a...
See more stories from spotify

Europe Stories

15/10/2019

NAGRA Blog: Key Takeaways from IBC 2019

As one of the premier industry events, IBC is always an opportunity to engage with peers and discuss the topics and trends affecting our industry. 2019 was no e...

15/10/2019

VSN Webinar IBC 2019 Recap

IBC 2019 Recap -- -- IBC 2019 IN REVIEW VSN showcased an impressive line-up of new products and solutions at IBC 2019. For all those who couldn't vis...

14/10/2019

Filming commences on Because the Night starring Russell Tovey and Bertie Carvel, by Luther creator Neil Cross for ITV

Filming has commenced in London on Because the Night, a four-part limited series...

14/10/2019

ITV Studios and Atresmedia Studios launch co-developed family format, Trust Me I'm A Six-Year-old.

ITV Studios and Atresmedia Studios launch co-developed family format, Trust Me I...

14/10/2019

ITV Studios Global Entertainment announces raft of scripted sales for new and returning dramas

(Pictured: Noughts and Crosses) ITV Studios Global Entertainment announces raft...

14/10/2019

Third territory for Catchpoint as its commissioned in Greece

Third territory for Catchpoint as its commissioned in Greece Mipcom, Cannes, Monday 14th October, 2019 - Physical gameshow Catchpoint has been commissioned in ...

14/10/2019

Net Insight AB appoints Crister Fritzson as CEO

Invitation to presentation of Net Insights Interim report January - September 2019 Net Insight AB will publish its interim report January - September 2019, on O...

14/10/2019

Adobe (Marketo) Named a Leader in 2019 Gartner Magic Quadrant for CRM Lead Management

SAN JOSE, Calif. - Oct. 14, 2019 - Adobe (Nasdaq:ADBE) today announced that it w...

14/10/2019

Adobe Named a Leader in Magic Quadrant for Ad Tech' by Gartner, Inc.

SAN JOSE, Calif. - Oct. 14, 2019 - Adobe (Nasdaq:ADBE) today announced that Adobe Advertising Cloud, the industry's first end-to-end, independent platform f...

14/10/2019

Nevion Virtuoso used in world's first large-scale application of TICO video compression

Nevion equipment instrumental in live broadcast of The People's Republic of ...

14/10/2019

Telecoms and pay-TV complaints from October to December 2017

Telecoms and pay-TV complaints from October to December 2017 Add to Your Pages 14 October 2019 TalkTalk most complained-about home broadband and landl...

14/10/2019

GSMA Tech4Girls Announces Partnership with Girl Scouts of Greater Atlanta

Series of Workshops Designed to Prepare Girls for Careers in STEAM Fields Atlanta: GSMA North America announced a partnership with the Girl Scouts of Greater A...

14/10/2019

Nokia and Hutchison 3 complete first 5G end-to-end live network trial in Indonesia

Nokia and Hutchison 3 complete first 5G end-to-end live network trial in Indones...

14/10/2019

ProSiebenSat.1 subsidiary 7Sports acquires 100 percent stake in eSports.com

ProSiebenSat.1 subsidiary 7Sports acquires 100 percent stake in eSports.com Munich, October 13, 2019 - Next step in ProSiebenSat.1s eSports offensive: 7Sports ...

14/10/2019

Sounds Of The Focusrite Studio Console

Recollections of the music made using Focusrite's much-loved recording console. The Focusrite Studio Console was a rare machine; only 10 were ever made, a...

14/10/2019

Banijay Group Embarks on Adventure with Bear Grylls and Delbert Shoopman

Banijay Group, the world's leading independent content producer and distributor, today announces the launch of new production label, The Natural Studios, fr...

14/10/2019

4.9 million views for 1:59 marathon

Ineos 1:59 Challenge broadcast in over 200 territories Dan Meier 34 mins ago Ineos 1:59 Challenge broadcast in over 200 territories target=_blank title...

14/10/2019

NEP UK Powers Up The Circle'

NEP UK Powers Up The Circle' posted: 14/10/2019 - NEP UK returns as trusted technical partner for the award-winning social media reality show NEP U...

14/10/2019

Avocor appoints Glenn Wastyn as vice president...

Avocor has appointed Glenn Wastyn to its global leadership team, joining Avocor as vice president EMEA. Wastyn has amassed more than 25 years of experience in...

14/10/2019

InfiLED appoints Andreas Voss as DACH regional sales manager...

Andreas Voss has been appointed as regional sales manager for DACH, leaving his former position as regional sales manager at Digital Projection. Voss has exte...

14/10/2019

Instant Breakthrough for Optocore's Revolutionary Festival Box

Instant Breakthrough for Optocores Revolutionary Festival Box posted: 14/10/2019 Global success, from Spice Girls and Billie Eilish tours to top European ...

14/10/2019

Robycam flies indoors with the International Swimming League

Robycam flies indoors with the International Swimming League posted: 14/10/2019 Robycam, a stabilized cable suspended camera system and leader in Augmented ...

14/10/2019

Nevion Virtuoso used in world's first large-scale application of TICO video compression

Nevion Virtuoso used in worlds first large-scale application of TICO video compr...

14/10/2019

Elite Robe Treatment for 2019 NAIDOC Awards

Elite Robe Treatment for 2019 NAIDOC Awards posted: 14/10/2019 Elite Event Technology from Canberra - one of Australia's leading rental and production...

14/10/2019

DiGiCo Spotlights New Software Enhancements and More at AES 2019

NEW YORK CITY October 2019 AES Stand #629 With its renewed commitment to sound reinforcement and expanded roster of related presentations, the Audio Engin...

14/10/2019

Paul Cooper chooses DiGiCo every time

I'd spent a few years touring with various acts and had pretty much stayed with one particular manufacturer, Cooper recalls. But then I started working wi...

14/10/2019

Former Disney exec to give ISE 2020 Opening...

Former Disney executive Duncan Wardle is to give the Opening Address at ISE 2020. Wardle is to talk about how innovation can become part of the day-to-day and h...

14/10/2019

TIG fills Middle East...

EMEA sales agency Technological Innovations Group (TIG) has appointed Renaat De Wilde as regional director Middle East. De Wilde will lead Crestron's sale...

14/10/2019

Surgeons in Japan and Spain collaborate on...

A surgeon in M laga, Spain has operated with real-time assistance from Japan as part of a demonstration of 5G and AI technology. Quir nsalud M laga Hospital a...

14/10/2019

Corporate events demand interactive proAV tech...

Corporate event attendees high standards for dynamic and interactive experiences has translated into demand for crowd participation technology, displays to show...

14/10/2019

Genelec opens Berlin...

Genelec, a manufacturer of active monitoring technology, has opened an Experience Centre in central Berlin. It is a brand new demonstration facility that provid...

14/10/2019

Ashly Audio adds to international leadership team

Ashly Audio has appointed Andy Lopez as export sales manager. The addition is a strategic hire to support the company's long-term plan to grow the business ...

14/10/2019

Facebook is bringing Portal video calls to offices

The recently introduced Portal from Facebook video calling devices can now be used in offices for workers to make voice and video calls. The 8-inch Portal Min...

14/10/2019

New drama SVoD Kritic to launch in Sweden

New non-English drama streamer Jenny Priestley 4 hours ago New non-English drama streamer target=_blank title=Share on LinkedIn class=share-linkedin> ...

14/10/2019

Holoride drives VR at Universal Pictures

Connects VR content with physical data points from vehicles in real time Dan Meier 4 hours ago Connects VR content with physical data points from vehicle...

14/10/2019

Is your TV watching you watching it?

Platforms based on ad targeting will likely turn to data mining Dan Meier 3 hours ago Platforms based on ad targeting will likely turn to data mining ...

14/10/2019

Steve Norris joins Gravity Media

Spent seven years as head of commercial sports rights for BT Sport Jenny Priestley 4 hours ago Spent seven years as head of commercial sports rights for ...

14/10/2019

Mediaset merger blocked by Spanish court

Vivendi welcomes the ruling Dan Meier 3 hours ago Vivendi welcomes the ruling target=_blank title=Share on LinkedIn class=share-linkedin> Vivendi wel...

12/10/2019

VICE News Brings Three Original Podcasts to Spotify

VICE News is already a major player in the media world, from its Emmy Award-winning nightly newscast VICE News Tonight to the critically-acclaimed podcast Chapo...

12/10/2019

Clear-Com Strengthens U.S. Sales With New Appointments and Increased Partner Support

William Elliott and Vic Lombardi join Clear-Com US Sales Team Clear-Com has ...

12/10/2019

Fairer prices for broadband customers

Fairer prices for broadband customers Add to Your Pages 11 October 2019 New measures to protect vulnerable customers from high prices and ensure they ...

12/10/2019

Fox Corporation Executives to Discuss First Quarter Fiscal 2020 Financial Results Via Webcast

New York, NY and Los Angeles, CA - October 11, 2019 Fox Corporation (Nasdaq: F...

12/10/2019

VIZ MEDIA RELEASES NEW HOME MEDIA AND PUBLISHING TITLES FOR OCTOBER

VIZ MEDIA RELEASES NEW HOME MEDIA AND PUBLISHING TITLES FOR OCTOBER New BORUTO Home Media Set Debuts Alongside THE WORLD OF RWBY, New Perfect Edition Of THE DR...

12/10/2019

VIZ MEDIA ANNOUNCES IMPRESSIVE COLLECTION OF NEW MANGA, NOVELS AND MORE FOR SUMMER 2020 RELEASE

VIZ MEDIA ANNOUNCES IMPRESSIVE COLLECTION OF NEW MANGA, NOVELS AND MORE FOR SUMM...

12/10/2019

VIZ MEDIA ANNOUNCES PUBLISHING RIGHTS FOR STAR WARS: THE LEGENDS OF LUKE SKYWALKER: THE MANGA

VIZ MEDIA ANNOUNCES PUBLISHING RIGHTS FOR STAR WARS: THE LEGENDS OF LUKE SKYWALK...

12/10/2019

RT to broadcast Wexford Festival Opera's sold-out production of Dorilla in Tempe

Saturday, 2 November 8pm, on www.rte.ie/culture and RT Player, and in the Light...

11/10/2019

Ericsson 5G report: industry digitalization could be a USD 700 billion market by 2030

The report identifies new revenue opportunities for service providers and offers...

11/10/2019

Ericsson Expert Analytics to enhance Batelco Bahrain customer experiences

The real-time, end-to-end, big data analytics solution helps organizations to predict customer satisfaction, detect experience issues, understand root causes, a...

11/10/2019

Banijay Rights Sells Premium Drama Wisting Into The UK

Banijay Rights, the leading distribution arm of Banijay Group, has today confirmed that high-end crime drama Wisting starring Carrie-Anne Moss and Sven Nordin h...

11/10/2019

Invitation to presentation of Net Insights Interim report January - September 2019

Net Insights Nomination Committee for AGM 2020 In accordance with the decision o...