Sony Pixel Power calrec Sony

6 Frequently Asked Questions About Spotify's Bug Bounty Program

13/09/2019

Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.

At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.

Want to learn more? We've broken it down into six frequently asked questions.

1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.

2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.

In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.

3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.

4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.

One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.

5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.

6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.

So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
LINK: https://newsroom.spotify.com/2019-09-13/6-frequently-asked-questions-a...
See more stories from spotify

Europe Stories

05/01/2027

Worlds first 802.15.4ab-UWB chip verified by Calterah and Rohde & Schwarz to be demoed at CES 2026

Worlds first 802.15.4ab-UWB chip verified by Calterah and Rohde & Schwarz to be ...

07/10/2026

Dalet Flex LTS Delivers Smarter Media Operations from Ingest to Distribution

Dalet, a leading technology and service provider for media-rich organizations, today announced the latest Long-Term Supported (LTS) release of Dalet Flex. Build...

06/09/2026

Dolby and MagentaTV Bring Fans Closer to the FIFA World Cup 2026 in Germany with Dolby Vision and Dolby Atmos

June 9 2026, 23:00 (PDT) Dolby and MagentaTV Bring Fans Closer to the FIFA Worl...

04/08/2026

Dalet Announces Commercial Availability of Dalia, Bringing Media-Aware Agentic AI to Enterprise Productions

Dalet, a leading technology and service provider for media-rich organizations, t...

16/07/2026

Business Innovation Synergizer: Grants of up to 30,000 for media organisations

Media organisations with tested plans for new products, services or revenue models can now apply for grants of up to 30,000 through the Business Innovation Syn...

16/07/2026

Baby Audio release SubCulture

A new benchmark in bass enhancement Described as a new benchmark in bass enhancement , Baby Audio's latest release has been designed to augment the lo...

16/07/2026

Other Worlds Evolved from Zero G

Popular library rebuilt in new Orbita Engine Other Worlds Evolved is the latest of Zero G's sample libraries to be treated to a ground-up rebuild using ...

16/07/2026

Native Instruments announce Super*Saw

Created in collaboration with A. G. Cook The newest addition to Native Instruments' software collection introduces a new synth created by A. G. Cook, a ...

16/07/2026

Rohde & Schwarz supplies conformance test systems to Marquistech for India's first GCF RTO and PTCRB ATL lab

Rohde & Schwarz supplies conformance test systems to Marquistech for India's...

16/07/2026

RTW Network Display

Modern broadcast facilities are no longer confined to a single control room. Production teams are spread across multiple workstations, machine rooms, studios, c...

16/07/2026

Fox Corporation Executives to Discuss Fourth Quarter and Full Fiscal Year 2026 Financial Results Via Webcast

Fox Corporation Executives to Discuss Fourth Quarter and Full Fiscal Year 2026 F...

16/07/2026

More interfaces now compatible with Focusrite Control 2

More interfaces now compatible with Focusrite Control 2 Your Focusrite interface might now be compatible with a public beta support of Focusrite Control 2. If...

16/07/2026

FIFA World Cup semi-finals deliver whopper audiences as RT Player surpasses 21 million streams across the tournament to date

Together the semi-finals had a combined reach of 1.98 million unique individuals...

15/07/2026

Freqport unveil the Dual FreqInOut FO1-2RK

Launched alongside new FreqSoft installer Designed to bridge the gap between hardware and software, Freqport's FreqInOut FO1 unit provides a simple way ...

15/07/2026

Expressive E's Summer Offers

Save up to 55% on software until 23 July 2026 Expressive E have just launched their Summer Offer sale, with discounts of up to 55% now applied across their ...

15/07/2026

Peel Stems 2 from zplane

Real-time stem-separation tool updated zplane have recently released a new and improved version of their real-time stem-separation plug-in which they say ma...

15/07/2026

Baby Audio SubCulture

A new benchmark in bass enhancement Described as a new benchmark in bass enhancement , Baby Audio's latest release has been designed to augment the lo...

15/07/2026

DMC Production Reimagines Live OB with Calrec

DMC Production's AR 1 and AR 2 units reverse the conventional OB workflow, keeping all production-critical processing at the venue while operators work remo...

15/07/2026

Screeners and press pack now available: Gomorrah: The Origins premieres on Sky and NOW on 28 July

Wednesday 15 July 2026 Screeners and press pack now available: Gomorrah: The Or...

15/07/2026

Audiences to get behind-the-scenes access to Trinity College Dublin's Old Library in new RT series

Trinity's Treasures features Ruth Negga, Eleanor McEvoy, and David Norris, a...

15/07/2026

Building Ireland explores the River Shannon region from Leitrim to Limerick in a new series

Join geographer Dr Susan Hegarty, Engineer Tim Joyce and Architect Orla Murphy a...

14/07/2026

Avalanche Tones debut with Chainsaw Suite

Plug-ins for heavy music Avalanche Tones is the brainchild of Ava Toton, a 17-year-old musician and developer who says her goal is to make the lives of gui...

14/07/2026

IK Multimedia introduce ReSing Voices Brazilian Pack

Launched alongside new Singer Showcase purchase model IK Multimedia's innovative vocal-synthesis software has just gained its latest voice add-on, the R...

14/07/2026

MIDI Innovations Awards 2026

Registration open until 1 September 2026 The MIDI Association have revealed that the registration deadline for this year's MIDI Innovation Awards has no...

14/07/2026

Launchkey MK4 88 joins Novation line-up

88-note model completes MK4 range Novation have just introduced the final model in their flagship MIDI controller keyboard range, the Launchkey MK4 88. Roun...

14/07/2026

First look revealed for Friday the 13th prequel, Crystal Lake, from A24 coming to Sky and NOW in the UK and Ireland this October

Tuesday 14 July 2026 First look revealed for Friday the 13th prequel, Crystal ...

14/07/2026

Surround Is Still the Standard

When immersive audio dominates industry headlines, it's easy to assume that every broadcaster is preparing for an Atmos future. The reality is quite differ...

14/07/2026

Fresh Thinking from MAD//Fest London 2026

Emma and Sophie from ICG's marketing team joined thousands of fellow marketers, brands and agencies at MAD//Fest London 2026, one of the UK's biggest ma...

14/07/2026

How Merchants Can Prepare for the Next Evolution in Digital Commerce

Pilot Project Shows How Retailers Are Prepared for the Next Step in the Evolution of Digital Commerce Arvato Systems Drives Agentic Commerce Forward G terslo...

14/07/2026

Building a more sustainable future - Our commitment to climate action

As part of this commitment, weve joined the SME Climate Hub, publicly pledging to: measure our greenhouse gas emissions reduce them in line with a net zero p...

13/07/2026

Techivation release M-Compressor 2

Adds new intelligent Mix Assistant feature With their product range now featuring numerous processors across two distinct line-ups, the M-Series and T-Serie...

13/07/2026

Avalanche Tones release Chainsaw Suite

Plug-ins for heavy music Avalanche Tones is the brainchild of Ava Toton, a 17-year-old musician and developer who says her goal is to make the lives of gui...

13/07/2026

Gamechanger Audio launch the Plus Pedal II

Popular sustain effect overhauled Latvia-based innovators Gamechanger Audio have just launched a new and improved version of their popular sustainer unit. B...

13/07/2026

20 Years On the Pitch Together

Celebrating Two Decades of ICG and League Football Education This year marks 20 years of working with League Football Education (LFE) the charity responsible ...

13/07/2026

Silver for Arvato Systems at the 2026 Service Provider Award

Silver for Arvato Systems at the 2026 Service Provider Award Award in the AI as a Service Provider category recognizes AI expertise and innovative strength ...

13/07/2026

RT News Appoints Joe Mag Raollaigh as new Managing Editor of Nuacht

RT News is pleased to announce the appointment of Joe Mag Raollaigh as the new Managing Editor of Nuacht, the Irish Language News and Current Affairs service a...

12/07/2026

Korg NTS-4: DIY analogue performance mixer

Offers six-channels and built-in effects Korg's latest release introduces a new analogue mixer that's been designed to act as a hub for live electro...

11/07/2026

Handcrafted Mallets from Handcrafted Audio

Promises a vividness and depth rarely found in software Switzerland-based Handcrafted Audio's latest creation is an interesting hybrid instrument that...

10/07/2026

AES Show Nashville: Early Bird registration opens

Discounted rates available through 27 August 2026 The Audio Engineering Society (AES) have announced that Early Bird registration is now open for the AES Sh...

10/07/2026

Sony introduce the IER-M500

New in-ear monitors to launch in August 2026 Sony have announced the upcoming launch of a new pair of in-ear monitors that promise to deliver a secure, stab...

10/07/2026

New RT documentary explores Irish-led efforts to build bridges

New RT documentary explores Irish-led efforts to build bridges in divided Cyprus More than a Game: From D1 to Pyla airs Monday 13 July More Than a Game: Fro...

09/07/2026

Universal Audio Black Box HG-2 & elysia karacter

Latest analogue-emulation plug-ins revealed Universal Audio have just added two new analogue-emulation plug-ins to their DSP-powered UAD line-up. Developed ...

09/07/2026

Neumann launch U 47 FET Bon Scott Edition

Limited-edition mic celebrates rock icon Neumann have partnered with the Bon Scott Estate to create a limited-edition version of the U 47 FET that honours b...

09/07/2026

Plugin Station: Plug-in management software

Handles organisation, updates, troubleshooting & more Created by pro-audio software developer Julian Worden, Plugin Station from Julian Michael Technologies...

09/07/2026

LANDR expand Fair Trade AI programme

Introduces new $1 million advance programme LANDR have just announced the next phase of their Fair Trade AI programme, a pioneering opt-in music-licensing p...

09/07/2026

Spitfire Audio expand low-cost Originals range

Four new titles now available Spitfire Audio have just introduced four new titles in their Originals range, bringing the total count of libraries in the low...

09/07/2026

The Search for Leah Croucher: A Parent's Nightmare for U and U&W

Years in the making, this intimate documentary draws on rare access to Leah Crouchers family to tell the story behind one of Britains most high-profile missing ...

09/07/2026

Enjoy Gigafast speeds and Ultimate TV pack for less

Thursday 9 July 2026 Enjoy Gigafast speeds and Ultimate TV pack for less The latest deals have dropped from Sky TV and Sky Broadband, the award-winning provid...

09/07/2026

Local campaigns with impact

Hands up who would like to dress up as a giant crisp packet? The call that went out across the agency as our anti-litter campaign, Wish you weren't here fo...

08/07/2026

Universal Audio introduce Black Box HG-2 & elysia karacter

Latest analogue-emulation plug-ins revealed Universal Audio have just added two new analogue-emulation plug-ins to their DSP-powered UAD line-up. Developed ...