Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.
Want to learn more? We've broken it down into six frequently asked questions.
1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.
2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.
In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.
3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.
4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.
One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.
5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.
6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.
So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
Europe Stories
05/01/2027
Worlds first 802.15.4ab-UWB chip verified by Calterah and Rohde & Schwarz to be ...
01/06/2026
January 6 2026, 05:30 (PST) Dolby Sets the New Standard for Premium Entertainment at CES 2026
Throughout the week, Dolby brings to life the latest innovatio...
02/05/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
01/05/2026
January 5 2026, 18:30 (PST) NBCUniversal's Peacock to Be First Streamer to ...
01/04/2026
January 4 2026, 18:00 (PST) DOLBY AND DOUYIN EMPOWER THE NEXT GENERATON OF CREATORS WITH DOLBY VISION
Douyin Users Can Now Create And Share Videos With Stun...
17/03/2026
Fresh Finds Africa spotlights emerging artists and movements across the continent and its global diaspora, with listeners tuning in to discover new Afro-forward...
17/03/2026
Last month, more than 60,000 fans piled into Bangkok's Rajamangala National ...
17/03/2026
Vintage-inspired channel strip joins line-up
Black Rooster Audio's latest plug-in provides an all-in-one mixing tool inspired by classic analogue consol...
17/03/2026
Level and EQ voice, reverb and noise independently
The latest plug-in to join Accentize's collection is said to take a new approach to dialogue processi...
17/03/2026
UHF radio mic & IEM bandwidth at risk
Once again, the UHF bandwidth that is currently allocated to RF audio gear is at risk of being reassigned to high-spee...
17/03/2026
Last Friday, the first Plant Fire Department Training Week in Bavaria successf...
17/03/2026
THIS ANNOUNCEMENT RELATES TO THE DISCLOSURE OF INFORMATION THAT QUALIFIED OR MAY HAVE QUALIFIED AS INSIDE INFORMATION WITHIN THE MEANING OF ARTICLE 7(1) OF THE ...
17/03/2026
17 Mar 2026
VEON Strengthens Leadership Team to Accelerate Digital Ambition Senior executive appointments are to enhance country operations and VEON Group'...
17/03/2026
UKTV today announces the appointment of Sam Tewungwa as Chief Executive Officer, who will lead the company's next phase of growth.
Tewungwa, currently Mana...
17/03/2026
Tuesday 17 March 2026
Disney included in the Sky TV subscription from today, b...
17/03/2026
The five-part thriller, formerly known as Inheritance, also stars Jonny Lee Mill...
17/03/2026
Tuesday 17 March 2026
Sky Arts welcomes Fearne Cotton as co-host of Landscape Artist of the Year
Sky Arts' much-loved Landscape Artist of the Year is set ...
17/03/2026
Season 2 of the darkly comic thriller will launch on Sky in 2026Tuesday 17 March 2026
Ella Purnell returns as wallflower-turned-killer in Sky Original Sweetpea...
16/03/2026
Promises studio-grade fidelity for the stage
Cloudvocal have announced the launch of a new instrument mic designed for professional live performers and engi...
16/03/2026
Popular MIDI/CV converter & interface overhauled
Kenton have announced the launch of the USB Solo Mk2, a new and improved version of their compact MIDI to C...
16/03/2026
Running from 16-29 March 2026
Starting from today (16 March) and running until 29 March 2026, Sonarworks are offering discounts of up to 40% across their ra...
16/03/2026
aconnic AG (ISIN: DE000A0LBKW6), Munich, is delivering the first commercial 100-Gigabit systems following successful validation and certification for customer n...
16/03/2026
16 Mar 2026
VEON Files its 2025 Annual Report on Form 20-F Dubai and New York, March 16, 2026 - VEON Ltd. (Nasdaq: VEON), a global digital operator ( VEON'...
16/03/2026
Six Couples. 100 Days Apart. One Question: Does Absence Make the Heart Grow Fond...
16/03/2026
Monday 16 March 2026
Tina Fey, Jamie Dornan and Riz Ahmed announced as first th...
16/03/2026
The reporting option was introduced following extensive consultation with publis...
16/03/2026
After a nail-biting Grand Finale, Rose of Tralee Katelyn Cummins has been announced as the winner of Dancing with the Stars 2026.
The four finalists each dance...
16/03/2026
Welcome to Moore Street will begin on RT One and RT Player on Thursday 19 Marc...
15/03/2026
Visit ToolsOnAir at NAB Las Vegas 2026
More Details:From April 19-22, join us at NAB Show Las Vegas in the North Hall, Booth N1258, for an exclusive preview of...
15/03/2026
Latest dark drama, thrillers & tension library announced
The Very Loud Indeed Co.'s latest Kontakt library has just arrived, delivering a third instalme...
14/03/2026
Combines mic, USB interface & wireless IEMs
Following a successful Kickstarter campaign, HISONG have announced that their innovative AirStudio S1 device is ...
13/03/2026
Spotify has always been built around your taste. More than 80% of listeners say personalization is what they love most about us. Now we're taking that even ...
13/03/2026
The new Spotify Legends Club has opened its doors. Its members: select German-sp...
13/03/2026
Pushing drum sampler technology into new territories
The latest version of Klevgrand's software drum sampler has just arrived, boasting a newly designe...
13/03/2026
Expanded headphone support & engine improvements
IK Multimedia's recently introduced ARC On-Ear system brings the power of their monitoring-correction s...
13/03/2026
Extra sound collections, more presets & new Keys category
UVI's rhythm and pattern instrument has just received a major update that introduces four new ...
13/03/2026
13 Mar 2026
VEON Delivers Record Digital Growth: 4Q25 Digital Revenues Grow 84%...
13/03/2026
Friday 13 March 2026
Sky Adds Blood on Snow to Original Film Slate in Acquisiti...
13/03/2026
RT has announced today that Rick O'Shea is the new presenter of Arena RT Radio 1's flagship weeknight arts and culture programme. Rick has been pres...
13/03/2026
Lights! Camera! Action! The 98th Oscars set to air live as RT backs the Irish n...
12/03/2026
Staines-upon-Thames, UK, 11th March, 2026 - Yospace, the trusted leader in Dyna...
12/03/2026
In Latin America, women are shaping music and defining its future. To kick off t...
12/03/2026
En Am rica Latina, las mujeres est n moldeando la m sica y definiendo su futuro....
12/03/2026
Let's turn back the clock 20 years: The music landscape was a world away fro...
12/03/2026
Bad Bunny is no stranger to Spotify's Billions Club. In fact, he has a whopp...
12/03/2026
Spotify was at the London Book Fair this week, joining conversations across the publishing industry about how people can make reading part of their daily lives....
12/03/2026
Mastering tool improves mono compatibility
Tokyo Dawn Labs' Ohlhorst Digital range is a series of mastering-focused plug-ins developed by Jan Ohlhorst, ...
12/03/2026
Wave FX processor integrated into four products
Lewitt have teamed up with Elgato to create a new processor for the company's Wave Next product range, i...
12/03/2026
Free tool for annotating audio files
Mix Notes is a new, free iOS App that provides users with a simple way to annotate their audio files. It's been cre...
12/03/2026
Side-chain ducking tool gets an upgrade
Devious Machines' popular side-chaining and envelope-shaping tool has just been kitted out with an improved enve...
Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
