Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.
Want to learn more? We've broken it down into six frequently asked questions.
1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.
2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.
In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.
3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.
4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.
One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.
5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.
6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.
So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
Europe Stories
05/01/2027
Worlds first 802.15.4ab-UWB chip verified by Calterah and Rohde & Schwarz to be ...
04/08/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
04/07/2026
April 7 2026, 19:00 (PDT) Detective Conan: Fallen Angel of the Highway Opens in...
08/06/2026
At Spotify, our commitment to the LGBTQIA community is year-round. Through GLOW, our global music program, we celebrate and amplify the contributions of queer ...
08/06/2026
Get Hands-on With Keyboard & Synth Brands
GearExpo UK wouldn't be complete without some synth action, and we've got some of the industry's most ...
08/06/2026
50 popular in-ear monitoring system profiles added
The latest update for IK Multimedia's headphone-correction system has just arrived, and introduces ca...
08/06/2026
Manny Marroquin signature cans upgraded with SLAM Technology
The flagship model in Audeze's Manny Marroquin Signature Series has just been treated to an...
08/06/2026
Air domain supremacy redefined - New counter UAS, space solutions and directiona...
08/06/2026
he BBC and BritBox have announced that Edward Bluemel (We Might Regret This, My ...
08/06/2026
Plus, 20% off TVs ahead of kick-offMonday 8 June 2026
Sky introduces Real Time...
08/06/2026
FOX Secures Live NFL Game Package in Mexico Starting in Fall 2026 Agreement Features Thursday Night Football, Sunday Games Package, Thanksgiving Day Games, al...
08/06/2026
FOX One, FOX Sports and Indeed Name Austin Franklin and Kevin Akoto as FOX One C...
08/06/2026
Meet us on the show floor
Stand #286310 Discover Nara, the media management tool used by major facilities including Harbor and Molinare.
Nara v2 introduces re...
08/06/2026
L'art de l'Image dans Reflet dans un diamant mort' Une conversation avec le directeur de la photographie Manuel Dacosse, SBC et l' talonneur Pe...
08/06/2026
Embracing today's modern media workflows: FilmLight presents Nara 2.0, with FilmLight API Designed to support the growing demands of today's production ...
08/06/2026
Moderated by Andy Minuth, FilmLight's Colour Workflow Specialist
Wednesday 18 February
6:00pm / Doors open
7:00pm / Presentation in German
8:00pm / Drin...
08/06/2026
Join us on April 14 at 10:00am for a technical roundtable with the Filmlight dev...
08/06/2026
You're invited to FLAPI Classroom The fundamentals of coding and machine-assisted development
These sessions will help you build the skills needed to cre...
08/06/2026
With Sylvain Canaux (St Louis, Paris) and J r me Cloutier (MELS, Montreal)
Wednesday 6 May
Pick your time: 1:00PM / 5:00PM
Note: The presentation will be hel...
08/06/2026
FilmLight, 1107 N El Centro Ave, Los Angeles
Doors open at 3:30pm
Join the FilmLight team on June 9th at 4pm to learn how FilmLight products and APIs can stre...
08/06/2026
The Creators List launched to Help Brands Connect With Top Creators In CannesThe curated directory launched by Tubefilter, Comscore, Whalar Group and Gospel Sta...
08/06/2026
Irish YouTube star DavidMC joins Aisling O'Reilly to tackle all things socce...
07/06/2026
Company introduce 21 new protective covers
Decksaver have just announced their Sping 2026 Drop, which sees a total of 21 new models added to their ever-grow...
07/06/2026
Sunday 7 June 2026
Dynamo Vs Houdini comes to Sky later this year
The last time the world saw Dynamo, he buried himself alive. This weekend, he returned.
Mom...
06/06/2026
Check Out Leading Monitor Brands
We'll have monitors of all shapes and sizes at GearExpo UK, so whether you're looking to upgrade or expand your set...
06/06/2026
Two Originals offerings join MPC line-up
Following on from their partnership announcement at NAMM 2026, Spitfire Audio and Akai Pro have announced the relea...
05/06/2026
Built from the same recordings as flagship library
Sonuscore's LUX Orchestral Strings has been met with widespread praise since its launch in late 2025,...
05/06/2026
High-end converter, interface & headphone amp upgraded
Said to represent the next evolution of RME's all-in-one reference converter concept, the all-new...
05/06/2026
Win a Soundgas Type 636P & Type G preamps
Soundgas, one of the UK's leading vintage and boutique audio equipment specialists have just announced the lau...
05/06/2026
New leadership of Technology Systems Division at Rohde & Schwarz On July 1, 2026, Hansj rg Herrbold and Andreas H gele will take over as Executive Vice Presid...
05/06/2026
Hitachi and Intel announced a strategic collaboration to explore opportunities t...
05/06/2026
05 Jun 2026
VEON's Kyivstar to Expand Digital Mobility Ecosystem with Acqui...
05/06/2026
RT Radio 1 Folk Awards to take place on Tuesday 10th November 2026, Vicar Street, Dublin
Moya Brennan, D nal Lunny, Mary Black and Christy Moore among previou...
04/06/2026
Steinberg DAWs now boast in-depth Tonalic integration
Celemony's innovative virtual session musician plug-in has just received an update that brings ARA...
04/06/2026
Get Hands-On With Over 20 Mic Brands
GearExpo UK is fast approaching, and if you've been looking for a chance to check out some new mics, then you'r...
04/06/2026
Combos feature new Amplifier Intelligence engine
Positive Grid's latest release sees the company introduce two new combo amplifiers that promise to offe...
04/06/2026
BackStory follows four Irish young people as they travel back to their parents' homelands
Modern Irish identity is enriched by cultures and influences from...
03/06/2026
Step sequencer-style panning tool revealed
Alongside their flagship self-titled sound-design platform, Sound Particles offer an array of creative effects an...
03/06/2026
Now features full H90 algorithm library
Eventide have announced the upcoming launch of the H9 Harmonizer Gen 2, a new and improved version of their hugely p...
03/06/2026
Significant discount available until 1 October 2026
Aim Audio have just announced a promotion that sees a significant discount applied to their Essence micr...
03/06/2026
Rohde & Schwarz to supply CERTIUM advanced communications system to Memmingen Ai...
03/06/2026
eds3_5_jq(document).ready(function($) { $(#eds_sliderM519).chameleonSlider_2_1({...
03/06/2026
RT confirms multi-channel and free to air coverage of the expanded tournament with enhanced digital features and the return of Total Football for young fans
S...
03/06/2026
03 Jun 2026
VEON to Release 2Q26 Earnings on July 31, 2026 Dubai and New York, June 3, 2026 - VEON Ltd. (Nasdaq: VEON), a global digital operator ( VEON or t...
03/06/2026
RT has today announced Heineken 0.0 as the broadcast sponsor of their FIFA World Cup 2026 coverage.
The sponsorship, brokered by Dentsu, will see Heineken 0....
02/06/2026
Musically intelligent soft synth gets upgraded
Scaler Music will be probably be best known to many for their music theory tools, but their product range al...
02/06/2026
Powerful new vocal-production tool announced
Described as a vocal performance station , Klevgrand's latest plug-in combines pitch-correction with harmo...
02/06/2026
Launched alongside Go Green sale extension
McDSP have just released the latest addition to their APB line-up, DC-2 Dual Compressor, and have also announced ...
02/06/2026
Create custom tools for Ableton Live 12 Suite
Ableton have just introduced a new open JavaScript toolkit that allows anyone to create their own custom tools...
02/06/2026
Now features full H90 algorithm library
Eventide have announced the upcoming launch of the H9 Harmonizer Gen 2, a new and improved version of their hugely p...
Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
