Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.
Want to learn more? We've broken it down into six frequently asked questions.
1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.
2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.
In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.
3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.
4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.
One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.
5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.
6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.
So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
Europe Stories
05/01/2027
Worlds first 802.15.4ab-UWB chip verified by Calterah and Rohde & Schwarz to be ...
01/06/2026
January 6 2026, 05:30 (PST) Dolby Sets the New Standard for Premium Entertainment at CES 2026
Throughout the week, Dolby brings to life the latest innovatio...
02/05/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
01/05/2026
January 5 2026, 18:30 (PST) NBCUniversal's Peacock to Be First Streamer to ...
01/04/2026
January 4 2026, 18:00 (PST) DOLBY AND DOUYIN EMPOWER THE NEXT GENERATON OF CREATORS WITH DOLBY VISION
Douyin Users Can Now Create And Share Videos With Stun...
24/03/2026
As the music industry gathers for Canada's Juno Awards, the local edition of...
24/03/2026
Behind every great song is a complex web of people, stories, and inspirations th...
24/03/2026
Few filmmakers have shaped popular cinema as profoundly as Steven Spielberg. So ...
24/03/2026
Latest Eurorack modules revealed
ALM/Busy Circuits have just introduced another two Eurorack modules, delivering a powerful new modulator that builds on the...
24/03/2026
Smallest, most affordable MPC to date
Akai Pro have just introduced their most accessible standalone sampler to date, making the iconic MPC experience avail...
24/03/2026
Create & manage presets on Windows & macOS
Electro-Harmonix have announced that their free Mac/Windows application now allows users of their Oceans Abyss re...
24/03/2026
Rohde & Schwarz amplifiers enable high-field immunity testing expansion at IB Le...
24/03/2026
eds3_5_jq(document).ready(function($) { $(#eds_sliderM519).chameleonSlider_2_1({...
24/03/2026
Rick Bernier reflects on a career that has taken him to the very top of live broadcast audio. As a Senior Broadcast Audio A1 Engineer and Music Director, he has...
24/03/2026
RT 's new history podcast, What Were We Like, is out now. Hosted by historian Diarmaid Ferriter and archivist Catriona Crowe, the series focuses on modern I...
24/03/2026
Tuesday 24 March 2026
Netflix partners with Sky Business to bring boxing night ...
24/03/2026
The Death of Bunny Munro and Lockerbie: A Search for Truth receive four nominations eachTuesday 24 March 2026
Sky celebrates 28 nominations at the 2026 BAFTA T...
24/03/2026
Tubi Turns Passion into Performance at IAB Newfront Announces New Interactive Ad Formats Including Scene Sense, Interactive Pause Ads and Connected Conversion...
24/03/2026
Arqiva shortlisted for Education Initiative of the Year'
We're excited to announce that we've been named a Finalist at the British Data Awards 202...
24/03/2026
Use of ABC data continues to grow, with 87% of buyers say they use it, compared ...
24/03/2026
All three presenters, Maura, D ith and Sinead, celebrate as afternoon chat show filmed in Cork hits milestone.
Ireland's longest running afternoon show, t...
24/03/2026
March 24 2026, 04:00 (PDT) Dolby Named to Fast Company's Annual List of the...
23/03/2026
It's been 20 years since Miley Cyrus introduced the world to Hannah Montana,...
23/03/2026
Made entirely from real natural recordings
Aimed at sound designers and editors working in film, TV and game audio, the latest release from BOOM Library com...
23/03/2026
Transcribe sheets, tabs or MIDI from audio files
Klang.io have announced the launch of a new AI-powered software tool that's capable of detecting multip...
23/03/2026
Monday 23 March 2026
Hacks, the multi-Emmy -winning Sky Exclusive comedy, retur...
23/03/2026
RT is sad today to learn of the death of legendary RT Sport broadcaster Michael Lyster, who died this morning aged 71 years.
Kevin Bakhurst, Director-General...
23/03/2026
RT Documentary On One has scooped its first ever dedicated music award. At the 2026 Icelandic Music Awards, composer lfur Eldj rn won Release of the Year in t...
23/03/2026
Inside Sport, Liveline, Morning Ireland and 2FM DRIVE will all be in Prague to bring fans to the heart of the action
Every Moment, Every GenerationRT | FIFA W...
22/03/2026
Free updates now available
VSL have just released some free updates that add some existing features to a selection of libraries in their expansive Synchron ...
21/03/2026
Presented to War Child UK's HELP(2) project
The MPG (Music Producers Guild) have announced the launch of the MPG Impact Award, a brand-new honour that w...
21/03/2026
Microtuning support for Arabic, Persian & Turkish scales
The latest release from Best Service brings together a selection of string, wind and percussion ins...
20/03/2026
In 2021, we launched EQUAL, a program designed to address an industry reality that persists: Women artists, songwriters, and producers too often face fewer oppo...
20/03/2026
BTS' long-awaited fifth studio album, ARIRANG, is finally here. To celebrate...
20/03/2026
A new era for Kenia Os has arrived, and Spotify marked the moment by putting fan...
20/03/2026
Una nueva era para Kenia Os ha llegado, y Spotify marc el momento poniendo a lo...
20/03/2026
Combines sampling & physical modelling
Sound Magic have announced the launch of a comprehensive virtual drum instrument that's been designed to cater to...
20/03/2026
How much difference should mastering make?
In our latest Mix Rescue feature, SOS Editor in Chief Sam Inglis revisits a project from back in 2019, carrying o...
20/03/2026
In this blog, Laura Rognoni reflects on key discussions from the Connected TV World Summit in London, where NAGRAVISION hosted a panel on content discovery and ...
20/03/2026
Dingle, Co. Kerry - Animation Dingle is delighted to announce that Suzanne Kelly, Head of Children's and Young People's Content at RT , will receive the...
20/03/2026
Friday 20 March 2026
Sky Extends Saturday Night Live UK Run to Eight Shows
Ahead of Saturday Night Live UK's launch tomorrow (March 21), Sky has confirmed...
20/03/2026
It's time to play The Money List! Baz Ashmawy is back at the helm as the qui...
19/03/2026
In 2021, we launched EQUAL, a program designed to address an industry reality that persists: Women artists, songwriters, and producers too often face fewer oppo...
19/03/2026
Latest EZKeys 2 expansion arrives
Toontrack's staggering collection of EZKeys 2 expansions has grown once again, and the latest instalment delivers a on...
19/03/2026
New generative AI plug-in due in May 2026
Roland have announced the upcoming launch of a new generative AI tool created in collaboration with Sony Computer ...
19/03/2026
Nick Williams updates users on insolvency process
Nick Williams, the CEO of Native Instruments, has released the following official statement regarding thei...
19/03/2026
Iconic Swedish mic manufacturer back in action
Legendary Swedish microphone manufacturer Milab have announced that production is now fully underway, and mic...
19/03/2026
Acclaimed saturation unit goes virtual
Freqport's Freqtube FT1 (reviewed here in SOS February 2023) offers a convenient way to integrate real valve-base...
19/03/2026
The discontinuation of loss-making business activities as part of the restructur...
19/03/2026
Tubi Partners with TikTok to Offer Creators a Pathway to Develop Premium Long Fo...
Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
